Windows Analysis Report 0BzQNa8hYd.exe

Snort IDS alert for network traffic

Source: 0BzQNa8hYd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49773 version: TLS 1.2

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E933B0 FindFirstFileA,FindNextFileA,	0_2_00E933B0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EB3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_00EB3B20
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E01F8C FindFirstFileExW,	0_2_00E01F8C

Networking

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49734
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49743
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49754

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_00E952A0 recv,

0_2_00E952A0

Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Gnws5yyo9l+1ZF6&MD=8DXGwmw9 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Gnws5yyo9l+1ZF6&MD=8DXGwmw9 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGNfnzbEGIjBpu0AXRtAugJJEK6NXUAWenWNp_rLmDdiE_g0IiJIN8uoI71qSPwXzhiK60YKMB64yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-11; NID=513=NQ4i_pjD0PTz3LB2GQffomFVtyMSr0Jpr1CTlfjPA8m2D0duNmM8wLAh-PMu9aKY9DXw7nAr1flPcF6Cd3ACUks34pGwRjbxaK_sFAHKSBUWLB1T7R5_4a3884zkKnah3NolGmxmf1QRdjBVNknuFkBIRKXXYqEoGrQeahJCyqU
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGNfnzbEGIjD1WaW_kQpX5UuTH3k6sLaT2sgha20jAZtNUmX4owd2e1RNY717lgQsRK3T9_HrP4AyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-11; NID=513=NQ4i_pjD0PTz3LB2GQffomFVtyMSr0Jpr1CTlfjPA8m2D0duNmM8wLAh-PMu9aKY9DXw7nAr1flPcF6Cd3ACUks34pGwRjbxaK_sFAHKSBUWLB1T7R5_4a3884zkKnah3NolGmxmf1QRdjBVNknuFkBIRKXXYqEoGrQeahJCyqU
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0Z
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe50.225O
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeum
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sok.exe
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sok.exedka.et
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sok.exev
Source: RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: 0BzQNa8hYd.exe, 00000000.00000003.1643419936.0000000005670000.00000004.00001000.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1961502354.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868472930.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1720238633.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1868564287.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1728075854.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.1838264301.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935062977.0000000000A71000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000003.1930313331.0000000004940000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035657695.0000000000A71000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MPGPH131.exe, 00000005.00000002.1871030062.0000000001503000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/3
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/A
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/M.D
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/Q
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: MPGPH131.exe, 00000005.00000002.1871030062.0000000001503000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225C
Source: 0BzQNa8hYd.exe, 00000000.00000002.1966000026.00000000081C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225I
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225K
Source: RageMP131.exe, 0000000A.00000002.1935964925.00000000017CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225YPT
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225Z
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: MPGPH131.exe, 00000005.00000002.1871030062.0000000001503000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.2253I
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000000F.00000002.2035206421.00000000006DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/;o
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A1B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1871030062.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001130000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001779000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000005.00000002.1871030062.00000000014AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/O
Source: RageMP131.exe, 0000000A.00000002.1935964925.000000000172F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/S
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001126000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/__
Source: 0BzQNa8hYd.exe, 00000000.00000003.1643419936.0000000005670000.00000004.00001000.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1961502354.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868472930.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1720238633.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1868564287.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1728075854.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.1838264301.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935062977.0000000000A71000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000003.1930313331.0000000004940000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035657695.0000000000A71000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1871030062.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1871030062.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.00000000010DC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001779000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.000000000172A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225;
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225S
Source: RageMP131.exe, 0000000F.00000002.2035206421.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225i
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A2A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001130000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: MPGPH131.exe, 00000005.00000002.1871030062.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225O
Source: RageMP131.exe, 0000000A.00000002.1935964925.0000000001779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225w
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 0BzQNa8hYd.exe, 00000000.00000003.1733888721.000000000825F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1731742459.0000000008238000.00000004.00000020.00020000.00000000.sdmp, QA_Wrs4XUenFHistory.0.dr, gXzxHmUZ2_5lHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: QA_Wrs4XUenFHistory.0.dr, gXzxHmUZ2_5lHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 0BzQNa8hYd.exe, 00000000.00000003.1733888721.000000000825F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1731742459.0000000008238000.00000004.00000020.00020000.00000000.sdmp, QA_Wrs4XUenFHistory.0.dr, gXzxHmUZ2_5lHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: QA_Wrs4XUenFHistory.0.dr, gXzxHmUZ2_5lHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RageMP131.exe, 0000000F.00000002.2035206421.000000000069B000.00000004.00000020.00020000.00000000.sdmp, DHpYI8xc8c5WJf_4ET3wn7d.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000000A.00000002.1935964925.00000000016EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTH
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot$
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot;
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botF
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_botw
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732932714.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1771802052.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1736641268.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1731234632.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1736197691.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1735450377.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1730947735.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732652842.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/X
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/i
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/_1
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/allets
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732932714.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1771802052.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1736641268.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1731234632.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1736197691.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1735450377.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1730947735.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732652842.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49773 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 0BzQNa8hYd.exe	Static PE information: section name:
Source: 0BzQNa8hYd.exe	Static PE information: section name: .idata
Source: 0BzQNa8hYd.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EC8080	0_2_00EC8080
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E1001D	0_2_00E1001D
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E661D0	0_2_00E661D0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EAD2B0	0_2_00EAD2B0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EAC3E0	0_2_00EAC3E0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EAB7E0	0_2_00EAB7E0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E4F730	0_2_00E4F730
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F0C8D0	0_2_00F0C8D0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00DDB8E0	0_2_00DDB8E0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EA49B0	0_2_00EA49B0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E68A80	0_2_00E68A80
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E61A60	0_2_00E61A60
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E6CBF0	0_2_00E6CBF0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E77D20	0_2_00E77D20
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E6AEC0	0_2_00E6AEC0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E63ED0	0_2_00E63ED0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E5DF60	0_2_00E5DF60
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F020C0	0_2_00F020C0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F140A0	0_2_00F140A0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E07190	0_2_00E07190
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F13160	0_2_00F13160
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E71130	0_2_00E71130
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E52100	0_2_00E52100
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F0F280	0_2_00F0F280
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EC0350	0_2_00EC0350
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E1035F	0_2_00E1035F
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E225FE	0_2_00E225FE
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00DFF570	0_2_00DFF570
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E247AD	0_2_00E247AD
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E0C950	0_2_00E0C950
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E0A918	0_2_00E0A918
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F14AE0	0_2_00F14AE0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E1DA74	0_2_00E1DA74
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F15A40	0_2_00F15A40
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E28BA0	0_2_00E28BA0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E60BA0	0_2_00E60BA0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EB4B90	0_2_00EB4B90
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E71E40	0_2_00E71E40
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E28E20	0_2_00E28E20
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EBBFC0	0_2_00EBBFC0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EBCFC0	0_2_00EBCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007BC950	5_2_007BC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007BA918	5_2_007BA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007B7190	5_2_007B7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007CDA74	5_2_007CDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007C035F	5_2_007C035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00870350	5_2_00870350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007D8BA0	5_2_007D8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007AF570	5_2_007AF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0086CFC0	5_2_0086CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007D47AD	5_2_007D47AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007BC950	6_2_007BC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007BA918	6_2_007BA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007B7190	6_2_007B7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007CDA74	6_2_007CDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007C035F	6_2_007C035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00870350	6_2_00870350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007D8BA0	6_2_007D8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007AF570	6_2_007AF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0086CFC0	6_2_0086CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007D47AD	6_2_007D47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AA7190	10_2_00AA7190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AAA918	10_2_00AAA918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AAC950	10_2_00AAC950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00ABDA74	10_2_00ABDA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AC8BA0	10_2_00AC8BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00B60350	10_2_00B60350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AB035F	10_2_00AB035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00A9F570	10_2_00A9F570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AC47AD	10_2_00AC47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00B5CFC0	10_2_00B5CFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AA7190	15_2_00AA7190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AAA918	15_2_00AAA918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AAC950	15_2_00AAC950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00ABDA74	15_2_00ABDA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AC8BA0	15_2_00AC8BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00B60350	15_2_00B60350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AB035F	15_2_00AB035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00A9F570	15_2_00A9F570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AC47AD	15_2_00AC47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00B5CFC0	15_2_00B5CFC0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 00AA4370 appears 48 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 007B4370 appears 48 times
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: String function: 00DEACE0 appears 86 times

One or more processes crash

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 2100

Sample file is different than original file name gathered from version info

Source: 0BzQNa8hYd.exe	Binary or memory string: OriginalFilename vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1965299035.0000000005668000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1961676347.0000000000F5F000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962082240.00000000013AB000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000003.1668368689.0000000007A8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000000.1634581467.00000000013AB000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe

Source: 0BzQNa8hYd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/33@4/6

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_00EAD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File created: C:\Users\user\AppData\Local\RageMP131

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7116

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 0BzQNa8hYd.exe, 00000000.00000003.1643419936.0000000005670000.00000004.00001000.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1961502354.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868472930.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1720238633.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1868564287.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1728075854.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.1838264301.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935062977.0000000000A71000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000003.1930313331.0000000004940000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035657695.0000000000A71000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 0BzQNa8hYd.exe, 00000000.00000003.1643419936.0000000005670000.00000004.00001000.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1961502354.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868472930.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1720238633.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1868564287.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1728075854.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.1838264301.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935062977.0000000000A71000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000003.1930313331.0000000004940000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035657695.0000000000A71000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 0BzQNa8hYd.exe, 00000000.00000003.1730947735.0000000008222000.00000004.00000020.00020000.00000000.sdmp, WeYUwDgk_fOSLogin Data For Account.0.dr, 9gL_vPVyR4oVLogin Data.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 0BzQNa8hYd.exe	Virustotal: Detection: 49%
Source: 0BzQNa8hYd.exe	ReversingLabs: Detection: 47%

Source: 0BzQNa8hYd.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 0BzQNa8hYd.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File read: C:\Users\user\Desktop\0BzQNa8hYd.exe

Source: unknown	Process created: C:\Users\user\Desktop\0BzQNa8hYd.exe "C:\Users\user\Desktop\0BzQNa8hYd.exe"
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 2100
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1976,i,748993754934603013,4578033061278539889,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1976,i,748993754934603013,4578033061278539889,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Detected unpacking (changes PE section rights)

Source: 0BzQNa8hYd.exe

Static file information: File size 2411008 > 1048576

Source: 0BzQNa8hYd.exe

Static PE information: Raw size of tjexpmlp is bigger than: 0x100000 < 0x19d800

Data Obfuscation

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Unpacked PE file: 0.2.0BzQNa8hYd.exe.dd0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 5.2.MPGPH131.exe.780000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.780000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 10.2.RageMP131.exe.a70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 15.2.RageMP131.exe.a70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 0BzQNa8hYd.exe	Static PE information: real checksum: 0x2577e7 should be: 0x250902
Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x2577e7 should be: 0x250902
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x2577e7 should be: 0x250902

PE file contains sections with non-standard names

Source: 0BzQNa8hYd.exe	Static PE information: section name:
Source: 0BzQNa8hYd.exe	Static PE information: section name: .idata
Source: 0BzQNa8hYd.exe	Static PE information: section name:
Source: 0BzQNa8hYd.exe	Static PE information: section name: tjexpmlp
Source: 0BzQNa8hYd.exe	Static PE information: section name: gbmldyvm
Source: 0BzQNa8hYd.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: tjexpmlp
Source: RageMP131.exe.0.dr	Static PE information: section name: gbmldyvm
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: tjexpmlp
Source: MPGPH131.exe.0.dr	Static PE information: section name: gbmldyvm
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E03F49 push ecx; ret	0_2_00E03F5C
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_057C02BF push 0000005Bh; retn 0010h	0_2_057C02CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007B3F49 push ecx; ret	5_2_007B3F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007B3F49 push ecx; ret	6_2_007B3F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AA3F49 push ecx; ret	10_2_00AA3F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AA3F49 push ecx; ret	15_2_00AA3F5C

Source: 0BzQNa8hYd.exe	Static PE information: section name: entropy: 7.924284012576602
Source: 0BzQNa8hYd.exe	Static PE information: section name: tjexpmlp entropy: 7.90989953831382
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.924284012576602
Source: RageMP131.exe.0.dr	Static PE information: section name: tjexpmlp entropy: 7.90989953831382
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.924284012576602
Source: MPGPH131.exe.0.dr	Static PE information: section name: tjexpmlp entropy: 7.90989953831382

Drops PE files

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E121E second address: 10E123E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4BF78B0h 0x00000009 pop edi 0x0000000a popad 0x0000000b jl 00007F3CA4BF78CFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E123E second address: 10E1242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0554 second address: 10E0561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0561 second address: 10E0565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0565 second address: 10E056B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E056B second address: 10E05A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3CA57AC346h 0x0000000e jmp 00007F3CA57AC349h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0AF0 second address: 10E0AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0AF4 second address: 10E0AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E23D3 second address: 10E23D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E23D7 second address: 10E23F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA57AC348h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E24DF second address: 10E24E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2600 second address: 10E2605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2605 second address: 10E262B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007F3CA51F3F04h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ecx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E262B second address: 10E2631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2631 second address: 10E264E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3CA51F3F03h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27A1 second address: 10E27A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27A5 second address: 10E27C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA51F3EFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27C1 second address: 10E27C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27C5 second address: 10E27EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA51F3EFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F3CA51F3EF6h 0x00000010 js 00007F3CA51F3EF6h 0x00000016 popad 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27EB second address: 10E2859 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3CA57AC341h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jo 00007F3CA57AC349h 0x0000001a push esi 0x0000001b jmp 00007F3CA57AC341h 0x00000020 pop esi 0x00000021 pop eax 0x00000022 mov esi, dword ptr [ebp+122D2F88h] 0x00000028 push 00000003h 0x0000002a xor dword ptr [ebp+122D584Dh], esi 0x00000030 push 00000000h 0x00000032 xor si, 9F38h 0x00000037 push 00000003h 0x00000039 mov esi, dword ptr [ebp+122D2B5Ch] 0x0000003f call 00007F3CA57AC339h 0x00000044 js 00007F3CA57AC344h 0x0000004a push eax 0x0000004b push edx 0x0000004c jg 00007F3CA57AC336h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2859 second address: 10E2877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c je 00007F3CA51F3EF8h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2877 second address: 10E287C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E287C second address: 10E2896 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA51F3F00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2896 second address: 10E28B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F3CA57AC341h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E28B7 second address: 10E28C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA51F3EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E28C6 second address: 10E28DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3CA57AC344h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A51 second address: 10D9A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A55 second address: 10D9A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A5B second address: 10D9A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3CA51F3EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A65 second address: 10D9A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A69 second address: 10D9A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3CA51F3EF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3CA51F3EFCh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3CA51F3F09h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013AB second address: 11013AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013AF second address: 11013B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013B3 second address: 11013B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013B9 second address: 11013EB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3CA51F3EF8h 0x00000008 jmp 00007F3CA51F3F00h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA51F3EFDh 0x00000017 jns 00007F3CA51F3EF6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013EB second address: 11013FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F3CA57AC336h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013FB second address: 11013FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1101555 second address: 110155D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1101C78 second address: 1101C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1101C7E second address: 1101C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1101C82 second address: 1101C8D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F3CA51F3EF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110203D second address: 110204A instructions: 0x00000000 rdtsc 0x00000002 je 00007F3CA57AC336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110204A second address: 1102050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1102050 second address: 1102055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1102055 second address: 1102073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA51F3F08h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1102073 second address: 1102077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11024F4 second address: 1102515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c jmp 00007F3CA51F3EFFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1102D52 second address: 1102D6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA57AC33Eh 0x00000007 jno 00007F3CA57AC336h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1103211 second address: 110321C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1106EF8 second address: 1106EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110AE64 second address: 110AE72 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110B019 second address: 110B01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110B01E second address: 110B094 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3CA51F3EFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d jmp 00007F3CA51F3F03h 0x00000012 jmp 00007F3CA51F3F05h 0x00000017 popad 0x00000018 pop edi 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push eax 0x0000001e jmp 00007F3CA51F3F03h 0x00000023 pop eax 0x00000024 mov eax, dword ptr [eax] 0x00000026 pushad 0x00000027 jmp 00007F3CA51F3F09h 0x0000002c push eax 0x0000002d push edx 0x0000002e push edx 0x0000002f pop edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110B2E5 second address: 110B2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC78 second address: 110DC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC7E second address: 110DC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC84 second address: 110DC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F3CA51F3F12h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC93 second address: 110DC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC99 second address: 110DC9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1110B8E second address: 1110B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1110B92 second address: 1110B9E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1110B9E second address: 1110BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11110E0 second address: 11110F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA51F3F05h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111290 second address: 1111295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111146A second address: 1111470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111154E second address: 1111567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA57AC345h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111567 second address: 111156D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111156D second address: 1111571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111605 second address: 1111609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111664 second address: 1111668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111668 second address: 111167C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D584Dh], edi 0x0000000e xchg eax, ebx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111239E second address: 11123A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11123A2 second address: 11123BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jmp 00007F3CA51F3EFFh 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1114B53 second address: 1114BE5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3CA57AC336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F3CA57AC338h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007F3CA57AC338h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov esi, dword ptr [ebp+122D2D5Dh] 0x00000048 add dword ptr [ebp+122D197Bh], esi 0x0000004e push 00000000h 0x00000050 push 00000000h 0x00000052 push edx 0x00000053 call 00007F3CA57AC338h 0x00000058 pop edx 0x00000059 mov dword ptr [esp+04h], edx 0x0000005d add dword ptr [esp+04h], 0000001Ch 0x00000065 inc edx 0x00000066 push edx 0x00000067 ret 0x00000068 pop edx 0x00000069 ret 0x0000006a jne 00007F3CA57AC343h 0x00000070 push eax 0x00000071 pushad 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11123BD second address: 11123C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111540F second address: 111541C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1115E1C second address: 1115E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F3CA51F3EF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111541C second address: 1115420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11160B9 second address: 1116140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F3CA51F3F05h 0x0000000b pop edx 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F3CA51F3EF8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a or dword ptr [ebp+122D30B4h], esi 0x00000030 mov esi, dword ptr [ebp+122D239Ch] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F3CA51F3EF8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 mov esi, 548CD6ABh 0x00000057 push 00000000h 0x00000059 mov si, ax 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jl 00007F3CA51F3EF8h 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1115420 second address: 1115429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1116140 second address: 111615D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1116BD5 second address: 1116BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1116921 second address: 1116927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1116BDA second address: 1116BE4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3CA4BF78ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1117530 second address: 1117534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1117534 second address: 1117540 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1117540 second address: 1117549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1117549 second address: 11175D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F3CA4BF78A8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 add esi, dword ptr [ebp+122D2C88h] 0x00000028 mov edi, dword ptr [ebp+122D2B60h] 0x0000002e push 00000000h 0x00000030 clc 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F3CA4BF78A8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d call 00007F3CA4BF78B3h 0x00000052 jmp 00007F3CA4BF78AEh 0x00000057 pop edi 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F3CA4BF78AEh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11180DA second address: 11180E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1119C29 second address: 1119C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1119C2D second address: 1119C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1119C35 second address: 1119C3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112386C second address: 1123878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1123878 second address: 112387E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1121519 second address: 112151F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1123AC0 second address: 1123AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1123AC4 second address: 1123AE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11256BE second address: 11256C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11256C3 second address: 1125769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3CA4739FF4h 0x0000000f nop 0x00000010 mov bx, C983h 0x00000014 or bx, 6D00h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c mov bl, ch 0x0000001e pop ebx 0x0000001f jns 00007F3CA4739FECh 0x00000025 mov dword ptr [ebp+122D1C01h], esi 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F3CA4739FE8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov edi, dword ptr [ebp+122D2CE4h] 0x0000004d call 00007F3CA4739FF1h 0x00000052 mov ebx, edi 0x00000054 pop ebx 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 jmp 00007F3CA4739FF5h 0x0000005e pushad 0x0000005f popad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1125769 second address: 112576E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11258ED second address: 1125983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3CA4739FEBh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D2997h], esi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 add edi, dword ptr [ebp+122D1C51h] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F3CA4739FE8h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 mov eax, dword ptr [ebp+122D13D5h] 0x00000046 push 00000000h 0x00000048 push edi 0x00000049 call 00007F3CA4739FE8h 0x0000004e pop edi 0x0000004f mov dword ptr [esp+04h], edi 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc edi 0x0000005c push edi 0x0000005d ret 0x0000005e pop edi 0x0000005f ret 0x00000060 push FFFFFFFFh 0x00000062 xor dword ptr [ebp+122D320Ch], ebx 0x00000068 nop 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F3CA4739FF8h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1125983 second address: 1125998 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3CA4BF78A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1125998 second address: 11259AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1127675 second address: 1127679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1127679 second address: 11276D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D2A18h] 0x00000010 push 00000000h 0x00000012 add dword ptr [ebp+122D584Dh], edx 0x00000018 add dword ptr [ebp+122D296Ch], esi 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007F3CA4739FE8h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a jmp 00007F3CA4739FEDh 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 pop edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 pop eax 0x00000049 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11285C3 second address: 11285E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jns 00007F3CA4BF78A6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jp 00007F3CA4BF78ACh 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112A6BC second address: 112A6D4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F3CA4739FE8h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1127837 second address: 11278B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F3CA4BF78A8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D2E52h], edi 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F3CA4BF78A8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 mov dword ptr [ebp+12454EA9h], esi 0x00000057 mov eax, dword ptr [ebp+122D0935h] 0x0000005d push FFFFFFFFh 0x0000005f jmp 00007F3CA4BF78ACh 0x00000064 nop 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 push edx 0x00000069 pop edx 0x0000006a push edx 0x0000006b pop edx 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11278B5 second address: 11278BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1129923 second address: 1129929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1128832 second address: 1128838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1129929 second address: 112992D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112C6FF second address: 112C79D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3CA4739FF6h 0x0000000e popad 0x0000000f nop 0x00000010 sub dword ptr [ebp+122D19B5h], ecx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F3CA4739FE8h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 pushad 0x00000033 mov dx, 406Eh 0x00000037 mov si, 753Bh 0x0000003b popad 0x0000003c jmp 00007F3CA4739FF2h 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007F3CA4739FE8h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 0000001Bh 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d mov bx, dx 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 pop esi 0x00000066 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1128838 second address: 112883D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1126865 second address: 112686F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112C935 second address: 112C9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F3CA4BF78A6h 0x00000009 jmp 00007F3CA4BF78AEh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F3CA4BF78B6h 0x00000017 nop 0x00000018 mov di, A859h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F3CA4BF78A8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d sub edi, 23049836h 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a or edi, 566D87C8h 0x00000050 mov eax, dword ptr [ebp+122D0275h] 0x00000056 mov edi, dword ptr [ebp+122D2D93h] 0x0000005c push FFFFFFFFh 0x0000005e push 00000000h 0x00000060 push ebp 0x00000061 call 00007F3CA4BF78A8h 0x00000066 pop ebp 0x00000067 mov dword ptr [esp+04h], ebp 0x0000006b add dword ptr [esp+04h], 0000001Ch 0x00000073 inc ebp 0x00000074 push ebp 0x00000075 ret 0x00000076 pop ebp 0x00000077 ret 0x00000078 mov dword ptr [ebp+122D1D5Bh], ebx 0x0000007e nop 0x0000007f jmp 00007F3CA4BF78B6h 0x00000084 push eax 0x00000085 push esi 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112C9FD second address: 112CA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112DAAE second address: 112DAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112DAB2 second address: 112DAB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112FF2F second address: 112FF39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1134838 second address: 113483F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 113483F second address: 113484B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jl 00007F3CA4BF78A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1134B14 second address: 1134B1E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4739FE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1134B1E second address: 1134B31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3CA4BF78AAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11408D1 second address: 11408E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jne 00007F3CA4739FF2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11408E0 second address: 11408E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11408E6 second address: 11408ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140A26 second address: 1140A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3CA4BF78AAh 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140A38 second address: 1140A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140A3C second address: 1140A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140E48 second address: 1140E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140E4D second address: 1140E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11410EB second address: 1141102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FEDh 0x00000009 jnl 00007F3CA4739FE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1141102 second address: 1141106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1141106 second address: 1141147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3CA4739FE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3CA4739FF9h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3CA4739FF6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1141147 second address: 114114D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114114D second address: 1141152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1141152 second address: 1141158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1143DA2 second address: 1143DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B1BA second address: 111B1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B1C0 second address: 111B1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B4CA second address: 111B4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B7A9 second address: 111B7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B7AD second address: 111B7B7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3CA4BF78A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147567 second address: 114757F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FF3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114757F second address: 1147589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147589 second address: 114758D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111A9BE second address: 10F6DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 and cx, FBD7h 0x0000000d lea eax, dword ptr [ebp+124866F7h] 0x00000013 mov cx, si 0x00000016 nop 0x00000017 jmp 00007F3CA4BF78B7h 0x0000001c push eax 0x0000001d jno 00007F3CA4BF78BAh 0x00000023 nop 0x00000024 push esi 0x00000025 mov dword ptr [ebp+122D239Ch], ebx 0x0000002b pop ecx 0x0000002c call dword ptr [ebp+122D2D6Ch] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F3CA4BF78B0h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147722 second address: 1147726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147726 second address: 1147745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007F3CA4BF78A6h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3CA4BF78ABh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11478D6 second address: 11478E0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3CA4739FE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11478E0 second address: 11478EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11478EA second address: 11478FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147BDC second address: 1147BE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147BE2 second address: 1147C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3CA4739FF8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147C06 second address: 1147C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1148039 second address: 114803E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114803E second address: 1148061 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3CA4BF78ACh 0x00000008 pushad 0x00000009 jmp 00007F3CA4BF78B2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C620 second address: 114C657 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3CA4739FE6h 0x00000008 ja 00007F3CA4739FE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA4739FF6h 0x00000017 jmp 00007F3CA4739FEFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C657 second address: 114C65B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C65B second address: 114C665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C665 second address: 114C673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4BF78AAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C673 second address: 114C681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CA1D second address: 114CA3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F3CA4BF78A8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CD61 second address: 114CD80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F3CA4739FE6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CD80 second address: 114CD8A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CD8A second address: 114CD90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CD90 second address: 114CD94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CEEB second address: 114CF0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F3CA4739FE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114D18B second address: 114D191 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114D42D second address: 114D431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114D9B5 second address: 114D9CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114D9CE second address: 114D9E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C35E second address: 114C368 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3CA4BF78ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11565AD second address: 11565B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11565B7 second address: 11565BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11565BF second address: 11565C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11565C8 second address: 11565D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155233 second address: 1155255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155255 second address: 1155263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11558C2 second address: 11558CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155A34 second address: 1155A46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F3CA4BF78ACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155A46 second address: 1155A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155A62 second address: 1155A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155D53 second address: 1155D7C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3CA473A004h 0x00000008 jmp 00007F3CA4739FF8h 0x0000000d jnp 00007F3CA4739FE6h 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155D7C second address: 1155DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F3CA4BF78B7h 0x0000000f jmp 00007F3CA4BF78B8h 0x00000014 jl 00007F3CA4BF78ACh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155ED1 second address: 1155ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1156036 second address: 115603C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11562E1 second address: 11562E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11562E5 second address: 11562ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11562ED second address: 1156305 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3CA4739FFAh 0x00000008 jmp 00007F3CA4739FEEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 115977A second address: 1159784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1159784 second address: 1159798 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4739FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F3CA4739FE6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1159798 second address: 11597B6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3CA4BF78A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3CA4BF78B0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 115C541 second address: 115C545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 115C29B second address: 115C2AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ACh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 115E682 second address: 115E686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1160D93 second address: 1160D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1160D99 second address: 1160DB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1160DB2 second address: 1160DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1160DBC second address: 1160DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165731 second address: 116573E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jo 00007F3CA4BF78A6h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116573E second address: 1165752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164B7D second address: 1164B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164B89 second address: 1164BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3CA4739FE6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F3CA4739FEBh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F3CA4739FF7h 0x00000019 popad 0x0000001a pushad 0x0000001b jbe 00007F3CA4739FE6h 0x00000021 pushad 0x00000022 popad 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164E8C second address: 1164EB7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3CA4BF78A6h 0x00000008 jmp 00007F3CA4BF78B9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F3CA4BF78ACh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164EB7 second address: 1164EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164EBB second address: 1164EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164EC1 second address: 1164ED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F3CA4739FE6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165002 second address: 1165018 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jc 00007F3CA4BF78A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F3CA4BF78AEh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165018 second address: 116506B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007F3CA4739FF8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F3CA4739FEFh 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jnc 00007F3CA4739FE6h 0x00000021 popad 0x00000022 ja 00007F3CA4739FECh 0x00000028 push eax 0x00000029 push edx 0x0000002a jne 00007F3CA4739FE6h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116506B second address: 116506F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11652EC second address: 11652F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11652F1 second address: 1165308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4BF78AFh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165308 second address: 1165335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3CA4739FF5h 0x00000010 jmp 00007F3CA4739FEDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165335 second address: 116533B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116860C second address: 1168612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168612 second address: 1168650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e jbe 00007F3CA4BF78C3h 0x00000014 jmp 00007F3CA4BF78B2h 0x00000019 jmp 00007F3CA4BF78ABh 0x0000001e jg 00007F3CA4BF78A8h 0x00000024 push eax 0x00000025 pop eax 0x00000026 popad 0x00000027 pushad 0x00000028 push ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168650 second address: 1168656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168656 second address: 116865F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116865F second address: 1168690 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4739FE6h 0x00000008 jmp 00007F3CA4739FECh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F3CA4739FF3h 0x00000014 jns 00007F3CA4739FEEh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1167D83 second address: 1167D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1167D8C second address: 1167D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168039 second address: 1168069 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B5h 0x00000007 jnl 00007F3CA4BF78A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 jmp 00007F3CA4BF78AAh 0x00000017 pop edi 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168069 second address: 1168079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3CA4739FE6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116CFD6 second address: 116CFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F3CA4BF78B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116CFF5 second address: 116CFFF instructions: 0x00000000 rdtsc 0x00000002 je 00007F3CA4739FEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116C304 second address: 116C309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116C5CA second address: 116C5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3CA4739FE6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116C5D8 second address: 116C5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3CA4BF78B2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116C5F1 second address: 116C5F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116CA42 second address: 116CA4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3CA4BF78A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116CA4D second address: 116CA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3CA4739FEEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 jmp 00007F3CA4739FF6h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D63C4 second address: 10D63D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4BF78AEh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D63D9 second address: 10D63DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D63DF second address: 10D63F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117433E second address: 1174345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174345 second address: 117434F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174512 second address: 1174520 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174966 second address: 117496A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117496A second address: 1174972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174BFF second address: 1174C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174C09 second address: 1174C3B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3CA4739FE6h 0x00000008 jmp 00007F3CA4739FECh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F3CA4739FF5h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174C3B second address: 1174C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3CA4BF78A6h 0x0000000a jno 00007F3CA4BF78A6h 0x00000010 jnc 00007F3CA4BF78A6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174C52 second address: 1174C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174EB0 second address: 1174EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117600C second address: 1176010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173EF9 second address: 1173EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173EFF second address: 1173F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3CA4739FF6h 0x00000012 jc 00007F3CA4739FE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173F28 second address: 1173F32 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4BF78A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173F32 second address: 1173F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173F3C second address: 1173F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173F46 second address: 1173F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB80 second address: 117DB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB86 second address: 117DB8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB8E second address: 117DB93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB93 second address: 117DB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB99 second address: 117DBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F3CA4BF78A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DBA6 second address: 117DBAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DBAA second address: 117DBB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DBB8 second address: 117DBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DBC2 second address: 117DBDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10CDA5D second address: 10CDA94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 jmp 00007F3CA4739FF7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1192C10 second address: 1192C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 119B977 second address: 119B9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F3CA4739FE6h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F3CA4739FEFh 0x0000001a jmp 00007F3CA4739FF6h 0x0000001f popad 0x00000020 pushad 0x00000021 push edi 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 119B9B7 second address: 119B9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11B3BDA second address: 11B3BE4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3CA4739FF2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11B3BE4 second address: 11B3BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11BCE4A second address: 11BCE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11C1FDD second address: 11C1FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11BB8BB second address: 11BB8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11BB8BF second address: 11BB8CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11BB8CE second address: 11BB8DA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4739FEEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11CF1DC second address: 11CF1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3CA4BF78A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11F8D42 second address: 11F8D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FEEh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11F8D58 second address: 11F8D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FA4A3 second address: 11FA4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pushad 0x00000008 jmp 00007F3CA4739FF7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FA342 second address: 11FA349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FDCE0 second address: 11FDCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE68A second address: 11FE695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE695 second address: 11FE699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE699 second address: 11FE69D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE69D second address: 11FE6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FF1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE6BA second address: 11FE6BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE849 second address: 11FE850 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE9AF second address: 11FE9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE9B3 second address: 11FE9C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 ja 00007F3CA4739FE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 12015F5 second address: 1201621 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4BF78B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1201621 second address: 120162B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1201C13 second address: 1201C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c jl 00007F3CA4BF78A8h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1204B43 second address: 1204B61 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F3CA4739FFAh 0x0000000e jmp 00007F3CA4739FEEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5730655 second address: 573065B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 573065B second address: 573068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3CA4739FF6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 573068C second address: 5730690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5730690 second address: 5730696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5730696 second address: 573069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 573069C second address: 57306CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov eax, 788D8163h 0x00000012 mov ch, D0h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3CA4739FEEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306CF second address: 57306D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306D5 second address: 57306D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306D9 second address: 57306F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306F3 second address: 57306F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306F7 second address: 57306FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570002A second address: 57000A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 411087EAh 0x00000008 mov bh, 38h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4739FF3h 0x00000015 sbb cl, 0000003Eh 0x00000018 jmp 00007F3CA4739FF9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F3CA4739FF0h 0x00000024 sbb ch, 00000038h 0x00000027 jmp 00007F3CA4739FEBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F3CA4739FF0h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57000A0 second address: 57000A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770008 second address: 577000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577000C second address: 577001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577001F second address: 5770025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770025 second address: 5770029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770029 second address: 5770088 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4739FEBh 0x00000015 add ch, 0000005Eh 0x00000018 jmp 00007F3CA4739FF9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F3CA4739FF0h 0x00000024 or al, 00000058h 0x00000027 jmp 00007F3CA4739FEBh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770088 second address: 5770106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3CA4BF78B1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F3CA4BF78AEh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 mov bl, al 0x0000001a pushfd 0x0000001b jmp 00007F3CA4BF78B3h 0x00000020 and cx, E4DEh 0x00000025 jmp 00007F3CA4BF78B9h 0x0000002a popfd 0x0000002b popad 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770106 second address: 577010A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577010A second address: 577011D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56F0CEA second address: 56F0CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56F0CF0 second address: 56F0D02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov edx, 6D5F4EB8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56F0D02 second address: 56F0D36 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3CA4739FF1h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, edx 0x0000000c popad 0x0000000d push dword ptr [ebp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA4739FF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56F0D94 second address: 56F0DD0 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007F3CA4BF78B9h 0x00000011 sub cx, 66D6h 0x00000016 jmp 00007F3CA4BF78B1h 0x0000001b popfd 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760B73 second address: 5760B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760B77 second address: 5760B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760B7D second address: 5760B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760B9A second address: 5760BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov esi, edx 0x00000012 pushfd 0x00000013 jmp 00007F3CA4BF78AFh 0x00000018 jmp 00007F3CA4BF78B3h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740AE6 second address: 5740B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F3CA4739FF5h 0x00000010 sub eax, 58D73106h 0x00000016 jmp 00007F3CA4739FF1h 0x0000001b popfd 0x0000001c push ecx 0x0000001d pop ebx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740B21 second address: 5740B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740B27 second address: 5740B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3CA4739FF2h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57903C0 second address: 57903EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4BF78B7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57903EC second address: 5790418 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4739FECh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5790418 second address: 5790457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 jmp 00007F3CA4BF78AAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F3CA4BF78B0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F3CA4BF78B7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5790457 second address: 5790474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3CA4739FEFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5790474 second address: 5790491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770D5F second address: 5770DF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 2Dh 0x00000005 pushfd 0x00000006 jmp 00007F3CA4739FF8h 0x0000000b add esi, 2E82C6C8h 0x00000011 jmp 00007F3CA4739FEBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov dh, al 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F3CA4739FF7h 0x00000025 jmp 00007F3CA4739FF3h 0x0000002a popfd 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F3CA4739FEEh 0x00000038 sbb esi, 00CDD6B8h 0x0000003e jmp 00007F3CA4739FEBh 0x00000043 popfd 0x00000044 popad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770DF0 second address: 5770DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770DF4 second address: 5770E44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3CA4739FEEh 0x00000012 or cx, F048h 0x00000017 jmp 00007F3CA4739FEBh 0x0000001c popfd 0x0000001d mov edx, eax 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F3CA4739FECh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770E44 second address: 5770E53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700689 second address: 570068F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570068F second address: 5700693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700693 second address: 57006A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57006A2 second address: 57006A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57006A6 second address: 57006C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57006C1 second address: 570070C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007F3CA4BF78ABh 0x0000000c sub ecx, 7424150Eh 0x00000012 jmp 00007F3CA4BF78B9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F3CA4BF78AEh 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570070C second address: 5700713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700713 second address: 5700719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700719 second address: 570071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570071D second address: 570073A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 mov eax, edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C17 second address: 5760C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C1B second address: 5760C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C1F second address: 5760C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C25 second address: 5760C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 pushfd 0x00000006 jmp 00007F3CA4BF78AEh 0x0000000b sub esi, 7DE18BD8h 0x00000011 jmp 00007F3CA4BF78ABh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F3CA4BF78B6h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov ax, BA13h 0x00000028 push eax 0x00000029 pop edx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C70 second address: 5760C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C84 second address: 5760C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C88 second address: 5760CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3CA4739FF9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CAE second address: 5760CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CB2 second address: 5760CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CB8 second address: 5760CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4BF78B3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CCF second address: 5760CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CD3 second address: 5760CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx edx, ax 0x0000000e push eax 0x0000000f push edx 0x00000010 mov dx, cx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CE6 second address: 5760D11 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3CA4739FF6h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3CA4739FECh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577036F second address: 5770373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770373 second address: 5770377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770377 second address: 577037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577037D second address: 57703BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007F3CA4739FF1h 0x0000000b and ecx, 79E9B3C6h 0x00000011 jmp 00007F3CA4739FF1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3CA4739FEDh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57703BF second address: 577045B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3CA4BF78B7h 0x00000008 mov si, 514Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F3CA4BF78B5h 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F3CA4BF78ACh 0x0000001d sub ecx, 4A52B128h 0x00000023 jmp 00007F3CA4BF78ABh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F3CA4BF78B8h 0x0000002f sub cx, E388h 0x00000034 jmp 00007F3CA4BF78ABh 0x00000039 popfd 0x0000003a popad 0x0000003b mov ebp, esp 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F3CA4BF78B5h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577045B second address: 577048F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3CA4739FF8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577048F second address: 5770493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770493 second address: 5770499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A33 second address: 5740A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A37 second address: 5740A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A3D second address: 5740A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A43 second address: 5740A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A47 second address: 5740A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F3CA4BF78B2h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 mov ebx, ecx 0x00000015 mov bx, si 0x00000018 popad 0x00000019 pushad 0x0000001a mov ch, 97h 0x0000001c mov ax, di 0x0000001f popad 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 mov bl, D1h 0x00000026 mov bx, si 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F3CA4BF78B9h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57207F3 second address: 5720831 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3CA4739FEEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3CA4739FEDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5720831 second address: 5720846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780D97 second address: 5780D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780D9B second address: 5780DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DA1 second address: 5780DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DA7 second address: 5780DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DAB second address: 5780DD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov bl, 41h 0x00000011 mov dx, cx 0x00000014 popad 0x00000015 and ecx, 1Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx ebx, si 0x0000001e mov cx, 45DFh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DD7 second address: 5780DF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DF8 second address: 5780DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DFC second address: 5780E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780E02 second address: 5780E30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 jmp 00007F3CA4739FECh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d leave 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3CA4739FF7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740126 second address: 5740147 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push esp 0x00000009 pushad 0x0000000a push ecx 0x0000000b mov bh, 08h 0x0000000d pop eax 0x0000000e mov cx, bx 0x00000011 popad 0x00000012 mov dword ptr [esp], ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3CA4BF78AAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740147 second address: 57401BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007F3CA4739FF6h 0x00000011 xchg eax, esi 0x00000012 jmp 00007F3CA4739FF0h 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F3CA4739FF7h 0x00000021 adc ax, 483Eh 0x00000026 jmp 00007F3CA4739FF9h 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57401BB second address: 5740228 instructions: 0x00000000 rdtsc 0x00000002 mov ah, B7h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, 4A20h 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c jmp 00007F3CA4BF78AFh 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 jmp 00007F3CA4BF78B6h 0x00000019 xchg eax, edi 0x0000001a pushad 0x0000001b mov dx, E1B0h 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 call 00007F3CA4BF78B4h 0x00000027 movzx ecx, bx 0x0000002a pop edi 0x0000002b mov cl, 34h 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F3CA4BF78B2h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740228 second address: 574022E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 574022E second address: 5740232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760023 second address: 5760066 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3CA4739FF2h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F3CA4739FEEh 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3CA4739FF7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760066 second address: 57600BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 10CC9011h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F3CA4BF78ACh 0x00000012 and esp, FFFFFFF8h 0x00000015 pushad 0x00000016 movzx eax, dx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F3CA4BF78B9h 0x00000021 and ecx, 11D9F186h 0x00000027 jmp 00007F3CA4BF78B1h 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600BA second address: 57600D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600D6 second address: 57600F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600F3 second address: 57600F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600F9 second address: 57600FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600FD second address: 5760166 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4739FF2h 0x00000015 jmp 00007F3CA4739FF5h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F3CA4739FF0h 0x00000021 and ax, 4678h 0x00000026 jmp 00007F3CA4739FEBh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760166 second address: 57601AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F3CA4BF78AEh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA4BF78B7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57601AC second address: 57601C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57601C4 second address: 57601EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop edi 0x00000011 call 00007F3CA4BF78AEh 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57601EB second address: 5760239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 021CE50Dh 0x00000008 mov si, C509h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 mov esi, 05BE0C41h 0x00000016 pushfd 0x00000017 jmp 00007F3CA4739FEEh 0x0000001c jmp 00007F3CA4739FF5h 0x00000021 popfd 0x00000022 popad 0x00000023 mov esi, dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F3CA4739FEDh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760239 second address: 5760249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4BF78ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760249 second address: 576026F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F3CA4739FF4h 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576026F second address: 5760275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760275 second address: 5760279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760279 second address: 576033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e movzx ecx, di 0x00000011 pushad 0x00000012 call 00007F3CA4BF78B9h 0x00000017 pop esi 0x00000018 mov ah, dl 0x0000001a popad 0x0000001b popad 0x0000001c je 00007F3D163BD986h 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F3CA4BF78B6h 0x00000029 sbb esi, 4EE73E38h 0x0000002f jmp 00007F3CA4BF78ABh 0x00000034 popfd 0x00000035 jmp 00007F3CA4BF78B8h 0x0000003a popad 0x0000003b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000042 jmp 00007F3CA4BF78B0h 0x00000047 mov ecx, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007F3CA4BF78ADh 0x00000052 add ax, 5E36h 0x00000057 jmp 00007F3CA4BF78B1h 0x0000005c popfd 0x0000005d push eax 0x0000005e pop edi 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576033B second address: 5760341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760341 second address: 5760345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760345 second address: 5760377 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F3D15F0002Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3CA4739FF5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760377 second address: 57603C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 jmp 00007F3CA4BF78AEh 0x00000015 jne 00007F3D163BD8BBh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3CA4BF78B7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57603C0 second address: 57603C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57603C6 second address: 57603CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57603CA second address: 57603FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e jmp 00007F3CA4739FF6h 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov si, 498Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57603FC second address: 576041C instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3CA4BF78B3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576041C second address: 5760420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760420 second address: 5760426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760426 second address: 57604CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 pushfd 0x00000007 jmp 00007F3CA4739FEEh 0x0000000c add eax, 5DFECB98h 0x00000012 jmp 00007F3CA4739FEBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F3CA4739FF1h 0x00000024 sbb ax, 2936h 0x00000029 jmp 00007F3CA4739FF1h 0x0000002e popfd 0x0000002f mov ax, 9527h 0x00000033 popad 0x00000034 popad 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 call 00007F3CA4739FF8h 0x0000003c pushfd 0x0000003d jmp 00007F3CA4739FF2h 0x00000042 add esi, 33E05AB8h 0x00000048 jmp 00007F3CA4739FEBh 0x0000004d popfd 0x0000004e pop esi 0x0000004f push edx 0x00000050 mov edx, eax 0x00000052 pop eax 0x00000053 popad 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 mov esi, edi 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57604CF second address: 57604D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57604D4 second address: 5760504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4739FF7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760504 second address: 5760533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov edi, 09D91166h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+14h] 0x00000010 jmp 00007F3CA4BF78ADh 0x00000015 push dword ptr [ebp+10h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3CA4BF78ADh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576055C second address: 576059E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3CA4739FF6h 0x00000013 or cx, 08F8h 0x00000018 jmp 00007F3CA4739FEBh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576059E second address: 57605A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57605A4 second address: 57605A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740ED2 second address: 5740ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740ED6 second address: 5740EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740EDA second address: 5740EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740EE0 second address: 5740EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740EE6 second address: 5740F6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3CA4BF78ADh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 call 00007F3CA4BF78ACh 0x00000015 mov di, si 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007F3CA4BF78B7h 0x0000001f xor cl, FFFFFFFEh 0x00000022 jmp 00007F3CA4BF78B9h 0x00000027 popfd 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b jmp 00007F3CA4BF78AEh 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F3CA4BF78B7h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740F6E second address: 5740F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AAC second address: 57B1AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AB2 second address: 57B1AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AB6 second address: 57B1AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dx, 7A56h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 movzx eax, dx 0x00000017 movsx edx, ax 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3CA4BF78ADh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AEF second address: 57B1AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AF5 second address: 57B1B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e movzx esi, dx 0x00000011 mov ecx, ebx 0x00000013 popad 0x00000014 push 0000007Fh 0x00000016 jmp 00007F3CA4BF78B3h 0x0000001b push 00000001h 0x0000001d jmp 00007F3CA4BF78B6h 0x00000022 push dword ptr [ebp+08h] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F3CA4BF78AAh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1B55 second address: 57B1B5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002AA second address: 57002D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 call 00007F3CA4BF78B8h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 mov bx, B37Ch 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002D7 second address: 57002DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002DD second address: 57002F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002F8 second address: 57002FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002FE second address: 5700304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700304 second address: 5700308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700308 second address: 5700343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F3CA4BF78AEh 0x00000014 adc eax, 3DE8E028h 0x0000001a jmp 00007F3CA4BF78ABh 0x0000001f popfd 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700343 second address: 5700387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3CA4739FF3h 0x00000012 adc ecx, 2445D21Eh 0x00000018 jmp 00007F3CA4739FF9h 0x0000001d popfd 0x0000001e movzx ecx, bx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700387 second address: 570038D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570038D second address: 5700391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700391 second address: 57003E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4BF78ACh 0x00000015 xor esi, 38AED278h 0x0000001b jmp 00007F3CA4BF78ABh 0x00000020 popfd 0x00000021 jmp 00007F3CA4BF78B8h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57003E7 second address: 57003ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57003ED second address: 57003F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57003F1 second address: 57003F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57003F5 second address: 5700450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F3CA4BF78AFh 0x00000010 sbb ax, 879Eh 0x00000015 jmp 00007F3CA4BF78B9h 0x0000001a popfd 0x0000001b mov edi, ecx 0x0000001d popad 0x0000001e and dword ptr [ebp-04h], 00000000h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F3CA4BF78B9h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700450 second address: 570049A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, dh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3CA4739FF1h 0x00000013 and esi, 30B4A1E6h 0x00000019 jmp 00007F3CA4739FF1h 0x0000001e popfd 0x0000001f mov esi, 54273417h 0x00000024 popad 0x00000025 mov esi, 7A60FAB3h 0x0000002a popad 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570049A second address: 57004A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700539 second address: 570053F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570053F second address: 5700543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700543 second address: 5700547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56E0A8B second address: 56E0A9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4BF78AEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56E0A9D second address: 56E0ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F3CA4739FECh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56E0ABB second address: 56E0ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56E0ABF second address: 56E0AC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11148F6 second address: 11148FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11148FC second address: 1114906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 579055A second address: 57905C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3CA4BF78ABh 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3CA4BF78B7h 0x00000017 jmp 00007F3CA4BF78B3h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F3CA4BF78B8h 0x00000023 adc ecx, 1D41CA68h 0x00000029 jmp 00007F3CA4BF78ABh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57905C9 second address: 57905EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov edi, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3CA4739FF4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57905EE second address: 57905F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57905F4 second address: 57905FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B2D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57905FD second address: 5790632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3CA4BF78B1h 0x00000011 sub ah, FFFFFF96h 0x00000014 jmp 00007F3CA4BF78B1h 0x00000019 popfd 0x0000001a mov dh, ch 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5790632 second address: 579064F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760DEB second address: 5760DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760DF1 second address: 5760DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760DF5 second address: 5760E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, bx 0x0000000f call 00007F3CA4BF78B7h 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760E1D second address: 5760E5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4739FEDh 0x00000015 jmp 00007F3CA4739FEBh 0x0000001a popfd 0x0000001b mov di, ax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760E5B second address: 5760E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov di, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3CA4BF78B5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740CA9 second address: 5740D28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 pushfd 0x00000006 jmp 00007F3CA4739FF1h 0x0000000b adc ah, FFFFFFD6h 0x0000000e jmp 00007F3CA4739FF1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F3CA4739FEEh 0x0000001d push eax 0x0000001e jmp 00007F3CA4739FEBh 0x00000023 xchg eax, ebp 0x00000024 jmp 00007F3CA4739FF6h 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c movzx ecx, bx 0x0000002f movsx edx, ax 0x00000032 popad 0x00000033 pop ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F3CA4739FF1h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D00EA second address: 57D0143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3CA4BF78B7h 0x00000009 xor al, FFFFFF8Eh 0x0000000c jmp 00007F3CA4BF78B9h 0x00000011 popfd 0x00000012 mov esi, 09A42497h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F3CA4BF78B4h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0143 second address: 57D0149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0149 second address: 57D014E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D014E second address: 57D0170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FEAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3CA4739FEEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0170 second address: 57D0258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov esi, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F3CA4BF78B9h 0x00000010 mov ebp, esp 0x00000012 jmp 00007F3CA4BF78AEh 0x00000017 push dword ptr [ebp+0Ch] 0x0000001a pushad 0x0000001b movzx esi, dx 0x0000001e mov si, bx 0x00000021 popad 0x00000022 push dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 pushad 0x00000027 mov edx, 3BB62804h 0x0000002c pushfd 0x0000002d jmp 00007F3CA4BF78ADh 0x00000032 sbb cl, 00000046h 0x00000035 jmp 00007F3CA4BF78B1h 0x0000003a popfd 0x0000003b popad 0x0000003c pushfd 0x0000003d jmp 00007F3CA4BF78B0h 0x00000042 adc ecx, 3D980FE8h 0x00000048 jmp 00007F3CA4BF78ABh 0x0000004d popfd 0x0000004e popad 0x0000004f call 00007F3CA4BF78A9h 0x00000054 jmp 00007F3CA4BF78B6h 0x00000059 push eax 0x0000005a jmp 00007F3CA4BF78ABh 0x0000005f mov eax, dword ptr [esp+04h] 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 pushad 0x00000067 popad 0x00000068 pushfd 0x00000069 jmp 00007F3CA4BF78B0h 0x0000006e and si, E4A8h 0x00000073 jmp 00007F3CA4BF78ABh 0x00000078 popfd 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0258 second address: 57D0274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3CA4739FEDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0274 second address: 57D029B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3CA4BF78ACh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D029B second address: 57D02C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007F3CA4739FF2h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578063E second address: 5780642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780642 second address: 578065A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578065A second address: 57806E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3CA4BF78B6h 0x0000000f push eax 0x00000010 jmp 00007F3CA4BF78ABh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F3CA4BF78B6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e call 00007F3CA4BF78AEh 0x00000023 jmp 00007F3CA4BF78B2h 0x00000028 pop ecx 0x00000029 mov cl, dh 0x0000002b popad 0x0000002c and esp, FFFFFFF0h 0x0000002f jmp 00007F3CA4BF78AAh 0x00000034 sub esp, 44h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F3CA4BF78AAh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57806E8 second address: 57806EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57806EE second address: 5780719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 6F6B2663h 0x00000008 call 00007F3CA4BF78B8h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780719 second address: 578072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578072C second address: 578076F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 mov bl, cl 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 pushad 0x00000013 movsx edi, si 0x00000016 movzx eax, di 0x00000019 popad 0x0000001a popad 0x0000001b push ebp 0x0000001c jmp 00007F3CA4BF78B4h 0x00000021 mov dword ptr [esp], esi 0x00000024 pushad 0x00000025 mov eax, 3AED972Dh 0x0000002a mov bl, ah 0x0000002c popad 0x0000002d push ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578076F second address: 57807B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c jmp 00007F3CA4739FEEh 0x00000011 mov edi, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3CA4739FF7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57807B9 second address: 57807BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57807BF second address: 578087A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+24h], 00000000h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3CA4739FEDh 0x00000017 or ax, F7A6h 0x0000001c jmp 00007F3CA4739FF1h 0x00000021 popfd 0x00000022 call 00007F3CA4739FF0h 0x00000027 pushfd 0x00000028 jmp 00007F3CA4739FF2h 0x0000002d sub ecx, 6D198078h 0x00000033 jmp 00007F3CA4739FEBh 0x00000038 popfd 0x00000039 pop ecx 0x0000003a popad 0x0000003b lock bts dword ptr [edi], 00000000h 0x00000040 jmp 00007F3CA4739FEFh 0x00000045 jc 00007F3D15E8BBD9h 0x0000004b pushad 0x0000004c pushad 0x0000004d mov ax, di 0x00000050 popad 0x00000051 pushfd 0x00000052 jmp 00007F3CA4739FEDh 0x00000057 add ecx, 4C4A63C6h 0x0000005d jmp 00007F3CA4739FF1h 0x00000062 popfd 0x00000063 popad 0x00000064 pop edi 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578087A second address: 578087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578087E second address: 5780884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780884 second address: 57808D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3CA4BF78B0h 0x00000009 jmp 00007F3CA4BF78B5h 0x0000000e popfd 0x0000000f mov ecx, 793B0B47h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3CA4BF78B9h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57808D2 second address: 57808F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4739FEDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802A1 second address: 57802A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802A5 second address: 57802AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802AB second address: 57802DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3CA4BF78B2h 0x00000009 add si, BFC8h 0x0000000e jmp 00007F3CA4BF78ABh 0x00000013 popfd 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802DF second address: 57802E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802E3 second address: 57802E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802E9 second address: 5780373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F3CA4739FF0h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F3CA4739FF0h 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a pushad 0x0000001b call 00007F3CA4739FECh 0x00000020 pop eax 0x00000021 pushfd 0x00000022 jmp 00007F3CA4739FEBh 0x00000027 or si, A97Eh 0x0000002c jmp 00007F3CA4739FF9h 0x00000031 popfd 0x00000032 popad 0x00000033 mov edx, ecx 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov cx, 22D5h 0x0000003e mov esi, 69701751h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780373 second address: 57803BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F3CA4BF78B6h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA4BF78B7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57803BF second address: 57803C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57803C4 second address: 5780400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F3CA4BF78B5h 0x0000000a or eax, 690E0FD6h 0x00000010 jmp 00007F3CA4BF78B1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780400 second address: 5780404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780404 second address: 578040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Special instruction interceptor: First address: F67AE9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Special instruction interceptor: First address: 112FF7B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Special instruction interceptor: First address: 111AB13 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Special instruction interceptor: First address: 1181C6C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 917AE9 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: ADFF7B instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: ACAB13 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: B31C6C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: C07AE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: DCFF7B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: DBAB13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: E21C6C instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_056D0BC1 rdtsc

Found decision node followed by non-executed suspicious APIs

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E933B0 FindFirstFileA,FindNextFileA,	0_2_00E933B0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EB3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_00EB3B20
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E01F8C FindFirstFileExW,	0_2_00E01F8C

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Source: 0BzQNa8hYd.exe, 00000000.00000003.1771684754.000000000823C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}I
Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}?
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&v
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1871030062.0000000001503000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.000000000174B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000000F.00000003.1964970556.0000000000706000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}3
Source: RageMP131.exe, 0000000A.00000003.1870950766.0000000001760000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001990000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RageMP131.exe, RageMP131.exe, 0000000F.00000002.2035832776.0000000000D87000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000006.00000002.1869499685.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771684754.000000000823C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8554E7C2
Source: MPGPH131.exe, 00000006.00000002.1869499685.000000000110B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 0000000F.00000003.1964970556.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771684754.000000000823C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8554E7C2p
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000005.00000002.1871030062.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: RageMP131.exe, 0000000F.00000003.1964970556.0000000000706000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}m
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.00000000019F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A2A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: 0BzQNa8hYd.exe, 00000000.00000002.1961728481.00000000010E7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868976621.0000000000A97000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.1868779489.0000000000A97000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.1935267704.0000000000D87000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000002.2035832776.0000000000D87000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 0000000A.00000002.1935964925.000000000174B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000n
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_055000F7 Start: 055003B2 End: 0550015C		10_2_055000F7
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_04A80129 Start: 04A8068A End: 04A800F5		15_2_04A80129

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_056D0BC1 rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E94130 mov eax, dword ptr fs:[00000030h]		0_2_00E94130
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E61A60 mov eax, dword ptr fs:[00000030h]		0_2_00E61A60

Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.1868779489.0000000000A97000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, RageMP131.exe, 0000000F.00000002.2035832776.0000000000D87000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: 2Program Manager

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_00E0360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00E0360D

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Yara match	File source: 00000000.00000002.1966072223.00000000081DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1771907750.00000000081DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0BzQNa8hYd.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DHpYI8xc8c5WJf_4ET3wn7d.zip, type: DROPPED

Source: 0BzQNa8hYd.exe, 00000000.00000003.1739203023.000000000824D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: 0BzQNa8hYd.exe, 00000000.00000003.1739203023.000000000824D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storage*3
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 0BzQNa8hYd.exe, 00000000.00000003.1772085637.00000000081D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 0BzQNa8hYd.exe, 00000000.00000003.1739203023.000000000824D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.jsonto
Source: 0BzQNa8hYd.exe, 00000000.00000003.1772085637.00000000081D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsPN
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0BzQNa8hYd.exe PID: 7116, type: MEMORYSTR

Remote Access Functionality

Antivirus detection for URL or domain

Source: Yara match	File source: 00000000.00000002.1966072223.00000000081DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1771907750.00000000081DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0BzQNa8hYd.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DHpYI8xc8c5WJf_4ET3wn7d.zip, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.251.40.164	www.google.com	United States	15169	GOOGLEUS	false
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.186.192	true
www.google.com	142.251.40.164	true
db-ip.com	172.67.75.166	true

Contacted URLs

Name	Malicious	Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGNfnzbEGIjBpu0AXRtAugJJEK6NXUAWenWNp_rLmDdiE_g0IiJIN8uoI71qSPwXzhiK60YKMB64yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGNfnzbEGIjD1WaW_kQpX5UuTH3k6sLaT2sgha20jAZtNUmX4owd2e1RNY717lgQsRK3T9_HrP4AyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false	high
https://ipinfo.io/widget/demo/191.96.150.225	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/async/newtab_promos	false	high
https://db-ip.com/demo/home.php?s=191.96.150.225	false	high
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false	high

AV Detection

Source: http://147.45.47.102:57893/hera/amadka.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://147.45.47.102:57893/hera/amadka.exe	Virustotal: Detection: 18%	Perma Link
Source: http://193.233.132.56/cost/go.exe	Virustotal: Detection: 19%	Perma Link
Source: http://193.233.132.56/cost/sok.exe	Virustotal: Detection: 21%	Perma Link
Source: http://193.233.132.56/cost/lenin.exe	Virustotal: Detection: 21%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 47%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 49%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 49%	Perma Link

Multi AV Scanner detection for submitted file

Source: 0BzQNa8hYd.exe	Virustotal: Detection: 49%			Perma Link
Source: 0BzQNa8hYd.exe	ReversingLabs: Detection: 47%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 0BzQNa8hYd.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_00E93EB0 CryptUnprotectData,CryptUnprotectData,

0_2_00E93EB0

Snort IDS alert for network traffic

Source: 0BzQNa8hYd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49773 version: TLS 1.2

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E933B0 FindFirstFileA,FindNextFileA,	0_2_00E933B0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EB3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_00EB3B20
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E01F8C FindFirstFileExW,	0_2_00E01F8C

Networking

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49734
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49743
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49754

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_00E952A0 recv,

0_2_00E952A0

Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Gnws5yyo9l+1ZF6&MD=8DXGwmw9 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=Gnws5yyo9l+1ZF6&MD=8DXGwmw9 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGNfnzbEGIjBpu0AXRtAugJJEK6NXUAWenWNp_rLmDdiE_g0IiJIN8uoI71qSPwXzhiK60YKMB64yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-11; NID=513=NQ4i_pjD0PTz3LB2GQffomFVtyMSr0Jpr1CTlfjPA8m2D0duNmM8wLAh-PMu9aKY9DXw7nAr1flPcF6Cd3ACUks34pGwRjbxaK_sFAHKSBUWLB1T7R5_4a3884zkKnah3NolGmxmf1QRdjBVNknuFkBIRKXXYqEoGrQeahJCyqU
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGNfnzbEGIjD1WaW_kQpX5UuTH3k6sLaT2sgha20jAZtNUmX4owd2e1RNY717lgQsRK3T9_HrP4AyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-11; NID=513=NQ4i_pjD0PTz3LB2GQffomFVtyMSr0Jpr1CTlfjPA8m2D0duNmM8wLAh-PMu9aKY9DXw7nAr1flPcF6Cd3ACUks34pGwRjbxaK_sFAHKSBUWLB1T7R5_4a3884zkKnah3NolGmxmf1QRdjBVNknuFkBIRKXXYqEoGrQeahJCyqU
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0Z
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe50.225O
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeum
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sok.exe
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sok.exedka.et
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/sok.exev
Source: RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: 0BzQNa8hYd.exe, 00000000.00000003.1643419936.0000000005670000.00000004.00001000.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1961502354.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868472930.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1720238633.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1868564287.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1728075854.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.1838264301.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935062977.0000000000A71000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000003.1930313331.0000000004940000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035657695.0000000000A71000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MPGPH131.exe, 00000005.00000002.1871030062.0000000001503000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/3
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/A
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/M.D
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/Q
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: MPGPH131.exe, 00000005.00000002.1871030062.0000000001503000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225C
Source: 0BzQNa8hYd.exe, 00000000.00000002.1966000026.00000000081C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225I
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225K
Source: RageMP131.exe, 0000000A.00000002.1935964925.00000000017CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225YPT
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225Z
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: MPGPH131.exe, 00000005.00000002.1871030062.0000000001503000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.2253I
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000000F.00000002.2035206421.00000000006DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000717000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/;o
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A1B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1871030062.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001130000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001779000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000005.00000002.1871030062.00000000014AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/O
Source: RageMP131.exe, 0000000A.00000002.1935964925.000000000172F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/S
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001126000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/__
Source: 0BzQNa8hYd.exe, 00000000.00000003.1643419936.0000000005670000.00000004.00001000.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1961502354.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868472930.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1720238633.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1868564287.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1728075854.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.1838264301.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935062977.0000000000A71000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000003.1930313331.0000000004940000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035657695.0000000000A71000.00000040.00000001.01000000.00000007.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1871030062.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1871030062.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001130000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.00000000010DC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001779000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.000000000172A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225;
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225S
Source: RageMP131.exe, 0000000F.00000002.2035206421.00000000006CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225i
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A2A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001130000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.000000000069B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: MPGPH131.exe, 00000005.00000002.1871030062.00000000014F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225O
Source: RageMP131.exe, 0000000A.00000002.1935964925.0000000001779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225w
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 0BzQNa8hYd.exe, 00000000.00000003.1733888721.000000000825F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1731742459.0000000008238000.00000004.00000020.00020000.00000000.sdmp, QA_Wrs4XUenFHistory.0.dr, gXzxHmUZ2_5lHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: QA_Wrs4XUenFHistory.0.dr, gXzxHmUZ2_5lHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 0BzQNa8hYd.exe, 00000000.00000003.1733888721.000000000825F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1731742459.0000000008238000.00000004.00000020.00020000.00000000.sdmp, QA_Wrs4XUenFHistory.0.dr, gXzxHmUZ2_5lHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: QA_Wrs4XUenFHistory.0.dr, gXzxHmUZ2_5lHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RageMP131.exe, 0000000F.00000002.2035206421.000000000069B000.00000004.00000020.00020000.00000000.sdmp, DHpYI8xc8c5WJf_4ET3wn7d.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000000A.00000002.1935964925.00000000016EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTH
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot$
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot;
Source: MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botF
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_botw
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0BzQNa8hYd.exe, 00000000.00000003.1731510084.000000000824A000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1734785111.0000000008271000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732258340.000000000825A000.00000004.00000020.00020000.00000000.sdmp, JZ_Was4YldHsWeb Data.0.dr, 9CCJaOUL98GXWeb Data.0.dr, FHAnyLa3I2CpWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732932714.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1771802052.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1736641268.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1731234632.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1736197691.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1735450377.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1730947735.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732652842.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/X
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/i
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/_1
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1966017575.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/allets
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732932714.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1771802052.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1736641268.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1731234632.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1736197691.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1735450377.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1730947735.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000003.1732652842.000000000822F000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49773 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 0BzQNa8hYd.exe	Static PE information: section name:
Source: 0BzQNa8hYd.exe	Static PE information: section name: .idata
Source: 0BzQNa8hYd.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EC8080	0_2_00EC8080
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E1001D	0_2_00E1001D
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E661D0	0_2_00E661D0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EAD2B0	0_2_00EAD2B0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EAC3E0	0_2_00EAC3E0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EAB7E0	0_2_00EAB7E0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E4F730	0_2_00E4F730
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F0C8D0	0_2_00F0C8D0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00DDB8E0	0_2_00DDB8E0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EA49B0	0_2_00EA49B0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E68A80	0_2_00E68A80
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E61A60	0_2_00E61A60
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E6CBF0	0_2_00E6CBF0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E77D20	0_2_00E77D20
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E6AEC0	0_2_00E6AEC0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E63ED0	0_2_00E63ED0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E5DF60	0_2_00E5DF60
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F020C0	0_2_00F020C0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F140A0	0_2_00F140A0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E07190	0_2_00E07190
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F13160	0_2_00F13160
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E71130	0_2_00E71130
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E52100	0_2_00E52100
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F0F280	0_2_00F0F280
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EC0350	0_2_00EC0350
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E1035F	0_2_00E1035F
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E225FE	0_2_00E225FE
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00DFF570	0_2_00DFF570
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E247AD	0_2_00E247AD
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E0C950	0_2_00E0C950
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E0A918	0_2_00E0A918
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F14AE0	0_2_00F14AE0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E1DA74	0_2_00E1DA74
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00F15A40	0_2_00F15A40
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E28BA0	0_2_00E28BA0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E60BA0	0_2_00E60BA0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EB4B90	0_2_00EB4B90
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E71E40	0_2_00E71E40
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E28E20	0_2_00E28E20
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EBBFC0	0_2_00EBBFC0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EBCFC0	0_2_00EBCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007BC950	5_2_007BC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007BA918	5_2_007BA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007B7190	5_2_007B7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007CDA74	5_2_007CDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007C035F	5_2_007C035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00870350	5_2_00870350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007D8BA0	5_2_007D8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007AF570	5_2_007AF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0086CFC0	5_2_0086CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007D47AD	5_2_007D47AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007BC950	6_2_007BC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007BA918	6_2_007BA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007B7190	6_2_007B7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007CDA74	6_2_007CDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007C035F	6_2_007C035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00870350	6_2_00870350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007D8BA0	6_2_007D8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007AF570	6_2_007AF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0086CFC0	6_2_0086CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007D47AD	6_2_007D47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AA7190	10_2_00AA7190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AAA918	10_2_00AAA918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AAC950	10_2_00AAC950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00ABDA74	10_2_00ABDA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AC8BA0	10_2_00AC8BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00B60350	10_2_00B60350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AB035F	10_2_00AB035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00A9F570	10_2_00A9F570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AC47AD	10_2_00AC47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00B5CFC0	10_2_00B5CFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AA7190	15_2_00AA7190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AAA918	15_2_00AAA918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AAC950	15_2_00AAC950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00ABDA74	15_2_00ABDA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AC8BA0	15_2_00AC8BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00B60350	15_2_00B60350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AB035F	15_2_00AB035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00A9F570	15_2_00A9F570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AC47AD	15_2_00AC47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00B5CFC0	15_2_00B5CFC0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 00AA4370 appears 48 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 007B4370 appears 48 times
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: String function: 00DEACE0 appears 86 times

One or more processes crash

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 2100

Sample file is different than original file name gathered from version info

Source: 0BzQNa8hYd.exe	Binary or memory string: OriginalFilename vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1965299035.0000000005668000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1961676347.0000000000F5F000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962082240.00000000013AB000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000003.1668368689.0000000007A8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe, 00000000.00000000.1634581467.00000000013AB000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe
Source: 0BzQNa8hYd.exe	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 0BzQNa8hYd.exe

Source: 0BzQNa8hYd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@26/33@4/6

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File created: C:\Users\user\AppData\Local\RageMP131

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7116

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 0BzQNa8hYd.exe, 00000000.00000003.1643419936.0000000005670000.00000004.00001000.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1961502354.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868472930.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1720238633.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1868564287.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1728075854.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.1838264301.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935062977.0000000000A71000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000003.1930313331.0000000004940000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035657695.0000000000A71000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 0BzQNa8hYd.exe, 00000000.00000003.1643419936.0000000005670000.00000004.00001000.00020000.00000000.sdmp, 0BzQNa8hYd.exe, 00000000.00000002.1961502354.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868472930.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1720238633.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1868564287.0000000000781000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1728075854.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.1838264301.00000000053A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935062977.0000000000A71000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000003.1930313331.0000000004940000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035657695.0000000000A71000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 0BzQNa8hYd.exe, 00000000.00000003.1730947735.0000000008222000.00000004.00000020.00020000.00000000.sdmp, WeYUwDgk_fOSLogin Data For Account.0.dr, 9gL_vPVyR4oVLogin Data.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 0BzQNa8hYd.exe	Virustotal: Detection: 49%
Source: 0BzQNa8hYd.exe	ReversingLabs: Detection: 47%

Source: 0BzQNa8hYd.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 0BzQNa8hYd.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File read: C:\Users\user\Desktop\0BzQNa8hYd.exe

Source: unknown	Process created: C:\Users\user\Desktop\0BzQNa8hYd.exe "C:\Users\user\Desktop\0BzQNa8hYd.exe"
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7116 -s 2100
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1976,i,748993754934603013,4578033061278539889,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1976,i,748993754934603013,4578033061278539889,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Detected unpacking (changes PE section rights)

Source: 0BzQNa8hYd.exe

Static file information: File size 2411008 > 1048576

Source: 0BzQNa8hYd.exe

Static PE information: Raw size of tjexpmlp is bigger than: 0x100000 < 0x19d800

Data Obfuscation

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Unpacked PE file: 0.2.0BzQNa8hYd.exe.dd0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 5.2.MPGPH131.exe.780000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.780000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 10.2.RageMP131.exe.a70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 15.2.RageMP131.exe.a70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;tjexpmlp:EW;gbmldyvm:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 0BzQNa8hYd.exe	Static PE information: real checksum: 0x2577e7 should be: 0x250902
Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x2577e7 should be: 0x250902
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x2577e7 should be: 0x250902

PE file contains sections with non-standard names

Source: 0BzQNa8hYd.exe	Static PE information: section name:
Source: 0BzQNa8hYd.exe	Static PE information: section name: .idata
Source: 0BzQNa8hYd.exe	Static PE information: section name:
Source: 0BzQNa8hYd.exe	Static PE information: section name: tjexpmlp
Source: 0BzQNa8hYd.exe	Static PE information: section name: gbmldyvm
Source: 0BzQNa8hYd.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: tjexpmlp
Source: RageMP131.exe.0.dr	Static PE information: section name: gbmldyvm
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: tjexpmlp
Source: MPGPH131.exe.0.dr	Static PE information: section name: gbmldyvm
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E03F49 push ecx; ret	0_2_00E03F5C
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_057C02BF push 0000005Bh; retn 0010h	0_2_057C02CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_007B3F49 push ecx; ret	5_2_007B3F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_007B3F49 push ecx; ret	6_2_007B3F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00AA3F49 push ecx; ret	10_2_00AA3F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_00AA3F49 push ecx; ret	15_2_00AA3F5C

Source: 0BzQNa8hYd.exe	Static PE information: section name: entropy: 7.924284012576602
Source: 0BzQNa8hYd.exe	Static PE information: section name: tjexpmlp entropy: 7.90989953831382
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.924284012576602
Source: RageMP131.exe.0.dr	Static PE information: section name: tjexpmlp entropy: 7.90989953831382
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.924284012576602
Source: MPGPH131.exe.0.dr	Static PE information: section name: tjexpmlp entropy: 7.90989953831382

Drops PE files

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E121E second address: 10E123E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4BF78B0h 0x00000009 pop edi 0x0000000a popad 0x0000000b jl 00007F3CA4BF78CFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E123E second address: 10E1242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0554 second address: 10E0561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0561 second address: 10E0565 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0565 second address: 10E056B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E056B second address: 10E05A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3CA57AC346h 0x0000000e jmp 00007F3CA57AC349h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0AF0 second address: 10E0AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E0AF4 second address: 10E0AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E23D3 second address: 10E23D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E23D7 second address: 10E23F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA57AC348h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E24DF second address: 10E24E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2600 second address: 10E2605 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2605 second address: 10E262B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jno 00007F3CA51F3F04h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ecx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E262B second address: 10E2631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2631 second address: 10E264E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3CA51F3F03h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27A1 second address: 10E27A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27A5 second address: 10E27C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA51F3EFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27C1 second address: 10E27C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27C5 second address: 10E27EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA51F3EFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F3CA51F3EF6h 0x00000010 js 00007F3CA51F3EF6h 0x00000016 popad 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E27EB second address: 10E2859 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3CA57AC341h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jo 00007F3CA57AC349h 0x0000001a push esi 0x0000001b jmp 00007F3CA57AC341h 0x00000020 pop esi 0x00000021 pop eax 0x00000022 mov esi, dword ptr [ebp+122D2F88h] 0x00000028 push 00000003h 0x0000002a xor dword ptr [ebp+122D584Dh], esi 0x00000030 push 00000000h 0x00000032 xor si, 9F38h 0x00000037 push 00000003h 0x00000039 mov esi, dword ptr [ebp+122D2B5Ch] 0x0000003f call 00007F3CA57AC339h 0x00000044 js 00007F3CA57AC344h 0x0000004a push eax 0x0000004b push edx 0x0000004c jg 00007F3CA57AC336h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2859 second address: 10E2877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c je 00007F3CA51F3EF8h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2877 second address: 10E287C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E287C second address: 10E2896 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA51F3F00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E2896 second address: 10E28B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F3CA57AC341h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E28B7 second address: 10E28C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA51F3EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10E28C6 second address: 10E28DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3CA57AC344h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A51 second address: 10D9A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A55 second address: 10D9A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A5B second address: 10D9A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3CA51F3EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A65 second address: 10D9A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D9A69 second address: 10D9A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3CA51F3EF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F3CA51F3EFCh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F3CA51F3F09h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013AB second address: 11013AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013AF second address: 11013B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013B3 second address: 11013B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013B9 second address: 11013EB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3CA51F3EF8h 0x00000008 jmp 00007F3CA51F3F00h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA51F3EFDh 0x00000017 jns 00007F3CA51F3EF6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013EB second address: 11013FB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F3CA57AC336h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11013FB second address: 11013FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1101555 second address: 110155D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1101C78 second address: 1101C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1101C7E second address: 1101C82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1101C82 second address: 1101C8D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F3CA51F3EF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110203D second address: 110204A instructions: 0x00000000 rdtsc 0x00000002 je 00007F3CA57AC336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110204A second address: 1102050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1102050 second address: 1102055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1102055 second address: 1102073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA51F3F08h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1102073 second address: 1102077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11024F4 second address: 1102515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c jmp 00007F3CA51F3EFFh 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1102D52 second address: 1102D6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA57AC33Eh 0x00000007 jno 00007F3CA57AC336h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1103211 second address: 110321C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1106EF8 second address: 1106EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110AE64 second address: 110AE72 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110B019 second address: 110B01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110B01E second address: 110B094 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3CA51F3EFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d jmp 00007F3CA51F3F03h 0x00000012 jmp 00007F3CA51F3F05h 0x00000017 popad 0x00000018 pop edi 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push eax 0x0000001e jmp 00007F3CA51F3F03h 0x00000023 pop eax 0x00000024 mov eax, dword ptr [eax] 0x00000026 pushad 0x00000027 jmp 00007F3CA51F3F09h 0x0000002c push eax 0x0000002d push edx 0x0000002e push edx 0x0000002f pop edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110B2E5 second address: 110B2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC78 second address: 110DC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC7E second address: 110DC84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC84 second address: 110DC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F3CA51F3F12h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC93 second address: 110DC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 110DC99 second address: 110DC9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1110B8E second address: 1110B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1110B92 second address: 1110B9E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1110B9E second address: 1110BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11110E0 second address: 11110F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA51F3F05h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111290 second address: 1111295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111146A second address: 1111470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111154E second address: 1111567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA57AC345h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111567 second address: 111156D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111156D second address: 1111571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111605 second address: 1111609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111664 second address: 1111668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1111668 second address: 111167C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D584Dh], edi 0x0000000e xchg eax, ebx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111239E second address: 11123A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11123A2 second address: 11123BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jmp 00007F3CA51F3EFFh 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1114B53 second address: 1114BE5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3CA57AC336h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F3CA57AC338h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007F3CA57AC338h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov esi, dword ptr [ebp+122D2D5Dh] 0x00000048 add dword ptr [ebp+122D197Bh], esi 0x0000004e push 00000000h 0x00000050 push 00000000h 0x00000052 push edx 0x00000053 call 00007F3CA57AC338h 0x00000058 pop edx 0x00000059 mov dword ptr [esp+04h], edx 0x0000005d add dword ptr [esp+04h], 0000001Ch 0x00000065 inc edx 0x00000066 push edx 0x00000067 ret 0x00000068 pop edx 0x00000069 ret 0x0000006a jne 00007F3CA57AC343h 0x00000070 push eax 0x00000071 pushad 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11123BD second address: 11123C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111540F second address: 111541C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1115E1C second address: 1115E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F3CA51F3EF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111541C second address: 1115420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11160B9 second address: 1116140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F3CA51F3F05h 0x0000000b pop edx 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F3CA51F3EF8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a or dword ptr [ebp+122D30B4h], esi 0x00000030 mov esi, dword ptr [ebp+122D239Ch] 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007F3CA51F3EF8h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 mov esi, 548CD6ABh 0x00000057 push 00000000h 0x00000059 mov si, ax 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jl 00007F3CA51F3EF8h 0x00000065 pushad 0x00000066 popad 0x00000067 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1115420 second address: 1115429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1116140 second address: 111615D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1116BD5 second address: 1116BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1116921 second address: 1116927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1116BDA second address: 1116BE4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3CA4BF78ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1117530 second address: 1117534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1117534 second address: 1117540 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1117540 second address: 1117549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1117549 second address: 11175D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F3CA4BF78A8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 add esi, dword ptr [ebp+122D2C88h] 0x00000028 mov edi, dword ptr [ebp+122D2B60h] 0x0000002e push 00000000h 0x00000030 clc 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edi 0x00000036 call 00007F3CA4BF78A8h 0x0000003b pop edi 0x0000003c mov dword ptr [esp+04h], edi 0x00000040 add dword ptr [esp+04h], 0000001Ch 0x00000048 inc edi 0x00000049 push edi 0x0000004a ret 0x0000004b pop edi 0x0000004c ret 0x0000004d call 00007F3CA4BF78B3h 0x00000052 jmp 00007F3CA4BF78AEh 0x00000057 pop edi 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F3CA4BF78AEh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11180DA second address: 11180E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1119C29 second address: 1119C2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1119C2D second address: 1119C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1119C35 second address: 1119C3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112386C second address: 1123878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1123878 second address: 112387E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1121519 second address: 112151F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1123AC0 second address: 1123AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1123AC4 second address: 1123AE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11256BE second address: 11256C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11256C3 second address: 1125769 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3CA4739FF4h 0x0000000f nop 0x00000010 mov bx, C983h 0x00000014 or bx, 6D00h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c mov bl, ch 0x0000001e pop ebx 0x0000001f jns 00007F3CA4739FECh 0x00000025 mov dword ptr [ebp+122D1C01h], esi 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F3CA4739FE8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov edi, dword ptr [ebp+122D2CE4h] 0x0000004d call 00007F3CA4739FF1h 0x00000052 mov ebx, edi 0x00000054 pop ebx 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 jmp 00007F3CA4739FF5h 0x0000005e pushad 0x0000005f popad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1125769 second address: 112576E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11258ED second address: 1125983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F3CA4739FEBh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D2997h], esi 0x00000012 push dword ptr fs:[00000000h] 0x00000019 add edi, dword ptr [ebp+122D1C51h] 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F3CA4739FE8h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 mov eax, dword ptr [ebp+122D13D5h] 0x00000046 push 00000000h 0x00000048 push edi 0x00000049 call 00007F3CA4739FE8h 0x0000004e pop edi 0x0000004f mov dword ptr [esp+04h], edi 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc edi 0x0000005c push edi 0x0000005d ret 0x0000005e pop edi 0x0000005f ret 0x00000060 push FFFFFFFFh 0x00000062 xor dword ptr [ebp+122D320Ch], ebx 0x00000068 nop 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F3CA4739FF8h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1125983 second address: 1125998 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3CA4BF78A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1125998 second address: 11259AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1127675 second address: 1127679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1127679 second address: 11276D2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, dword ptr [ebp+122D2A18h] 0x00000010 push 00000000h 0x00000012 add dword ptr [ebp+122D584Dh], edx 0x00000018 add dword ptr [ebp+122D296Ch], esi 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push esi 0x00000023 call 00007F3CA4739FE8h 0x00000028 pop esi 0x00000029 mov dword ptr [esp+04h], esi 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc esi 0x00000036 push esi 0x00000037 ret 0x00000038 pop esi 0x00000039 ret 0x0000003a jmp 00007F3CA4739FEDh 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 pop edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 pop eax 0x00000049 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11285C3 second address: 11285E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jns 00007F3CA4BF78A6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jp 00007F3CA4BF78ACh 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112A6BC second address: 112A6D4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F3CA4739FE8h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1127837 second address: 11278B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F3CA4BF78A8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D2E52h], edi 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F3CA4BF78A8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000018h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 mov dword ptr [ebp+12454EA9h], esi 0x00000057 mov eax, dword ptr [ebp+122D0935h] 0x0000005d push FFFFFFFFh 0x0000005f jmp 00007F3CA4BF78ACh 0x00000064 nop 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 push edx 0x00000069 pop edx 0x0000006a push edx 0x0000006b pop edx 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11278B5 second address: 11278BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1129923 second address: 1129929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1128832 second address: 1128838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1129929 second address: 112992D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112C6FF second address: 112C79D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3CA4739FF6h 0x0000000e popad 0x0000000f nop 0x00000010 sub dword ptr [ebp+122D19B5h], ecx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F3CA4739FE8h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 pushad 0x00000033 mov dx, 406Eh 0x00000037 mov si, 753Bh 0x0000003b popad 0x0000003c jmp 00007F3CA4739FF2h 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007F3CA4739FE8h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 0000001Bh 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d mov bx, dx 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 push esi 0x00000065 pop esi 0x00000066 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1128838 second address: 112883D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1126865 second address: 112686F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112C935 second address: 112C9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F3CA4BF78A6h 0x00000009 jmp 00007F3CA4BF78AEh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F3CA4BF78B6h 0x00000017 nop 0x00000018 mov di, A859h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F3CA4BF78A8h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d sub edi, 23049836h 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a or edi, 566D87C8h 0x00000050 mov eax, dword ptr [ebp+122D0275h] 0x00000056 mov edi, dword ptr [ebp+122D2D93h] 0x0000005c push FFFFFFFFh 0x0000005e push 00000000h 0x00000060 push ebp 0x00000061 call 00007F3CA4BF78A8h 0x00000066 pop ebp 0x00000067 mov dword ptr [esp+04h], ebp 0x0000006b add dword ptr [esp+04h], 0000001Ch 0x00000073 inc ebp 0x00000074 push ebp 0x00000075 ret 0x00000076 pop ebp 0x00000077 ret 0x00000078 mov dword ptr [ebp+122D1D5Bh], ebx 0x0000007e nop 0x0000007f jmp 00007F3CA4BF78B6h 0x00000084 push eax 0x00000085 push esi 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112C9FD second address: 112CA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112DAAE second address: 112DAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112DAB2 second address: 112DAB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 112FF2F second address: 112FF39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1134838 second address: 113483F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 113483F second address: 113484B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jl 00007F3CA4BF78A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1134B14 second address: 1134B1E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4739FE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1134B1E second address: 1134B31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3CA4BF78AAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11408D1 second address: 11408E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jne 00007F3CA4739FF2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11408E0 second address: 11408E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11408E6 second address: 11408ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140A26 second address: 1140A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3CA4BF78AAh 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140A38 second address: 1140A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140A3C second address: 1140A42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140E48 second address: 1140E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1140E4D second address: 1140E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11410EB second address: 1141102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FEDh 0x00000009 jnl 00007F3CA4739FE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1141102 second address: 1141106 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1141106 second address: 1141147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3CA4739FE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3CA4739FF9h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3CA4739FF6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1141147 second address: 114114D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114114D second address: 1141152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1141152 second address: 1141158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1143DA2 second address: 1143DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B1BA second address: 111B1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B1C0 second address: 111B1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B4CA second address: 111B4D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B7A9 second address: 111B7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111B7AD second address: 111B7B7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3CA4BF78A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147567 second address: 114757F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FF3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114757F second address: 1147589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147589 second address: 114758D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 111A9BE second address: 10F6DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 and cx, FBD7h 0x0000000d lea eax, dword ptr [ebp+124866F7h] 0x00000013 mov cx, si 0x00000016 nop 0x00000017 jmp 00007F3CA4BF78B7h 0x0000001c push eax 0x0000001d jno 00007F3CA4BF78BAh 0x00000023 nop 0x00000024 push esi 0x00000025 mov dword ptr [ebp+122D239Ch], ebx 0x0000002b pop ecx 0x0000002c call dword ptr [ebp+122D2D6Ch] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F3CA4BF78B0h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147722 second address: 1147726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147726 second address: 1147745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007F3CA4BF78A6h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3CA4BF78ABh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11478D6 second address: 11478E0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3CA4739FE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11478E0 second address: 11478EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11478EA second address: 11478FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147BDC second address: 1147BE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147BE2 second address: 1147C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3CA4739FF8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1147C06 second address: 1147C11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1148039 second address: 114803E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114803E second address: 1148061 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3CA4BF78ACh 0x00000008 pushad 0x00000009 jmp 00007F3CA4BF78B2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C620 second address: 114C657 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3CA4739FE6h 0x00000008 ja 00007F3CA4739FE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA4739FF6h 0x00000017 jmp 00007F3CA4739FEFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C657 second address: 114C65B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C65B second address: 114C665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C665 second address: 114C673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4BF78AAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C673 second address: 114C681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CA1D second address: 114CA3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F3CA4BF78A8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CD61 second address: 114CD80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F3CA4739FE6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CD80 second address: 114CD8A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CD8A second address: 114CD90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CD90 second address: 114CD94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114CEEB second address: 114CF0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007F3CA4739FE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114D18B second address: 114D191 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114D42D second address: 114D431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114D9B5 second address: 114D9CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114D9CE second address: 114D9E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 114C35E second address: 114C368 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3CA4BF78ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11565AD second address: 11565B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11565B7 second address: 11565BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11565BF second address: 11565C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11565C8 second address: 11565D3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155233 second address: 1155255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155255 second address: 1155263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11558C2 second address: 11558CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155A34 second address: 1155A46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F3CA4BF78ACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155A46 second address: 1155A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155A62 second address: 1155A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155D53 second address: 1155D7C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3CA473A004h 0x00000008 jmp 00007F3CA4739FF8h 0x0000000d jnp 00007F3CA4739FE6h 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155D7C second address: 1155DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F3CA4BF78B7h 0x0000000f jmp 00007F3CA4BF78B8h 0x00000014 jl 00007F3CA4BF78ACh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1155ED1 second address: 1155ED9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1156036 second address: 115603C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11562E1 second address: 11562E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11562E5 second address: 11562ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11562ED second address: 1156305 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3CA4739FFAh 0x00000008 jmp 00007F3CA4739FEEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 115977A second address: 1159784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1159784 second address: 1159798 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4739FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F3CA4739FE6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1159798 second address: 11597B6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3CA4BF78A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3CA4BF78B0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 115C541 second address: 115C545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 115C29B second address: 115C2AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ACh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 115E682 second address: 115E686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1160D93 second address: 1160D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1160D99 second address: 1160DB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1160DB2 second address: 1160DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1160DBC second address: 1160DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165731 second address: 116573E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 jo 00007F3CA4BF78A6h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116573E second address: 1165752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164B7D second address: 1164B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164B89 second address: 1164BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3CA4739FE6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F3CA4739FEBh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F3CA4739FF7h 0x00000019 popad 0x0000001a pushad 0x0000001b jbe 00007F3CA4739FE6h 0x00000021 pushad 0x00000022 popad 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164E8C second address: 1164EB7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3CA4BF78A6h 0x00000008 jmp 00007F3CA4BF78B9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jng 00007F3CA4BF78ACh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164EB7 second address: 1164EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164EBB second address: 1164EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1164EC1 second address: 1164ED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F3CA4739FE6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165002 second address: 1165018 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jc 00007F3CA4BF78A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F3CA4BF78AEh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165018 second address: 116506B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007F3CA4739FF8h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F3CA4739FEFh 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jnc 00007F3CA4739FE6h 0x00000021 popad 0x00000022 ja 00007F3CA4739FECh 0x00000028 push eax 0x00000029 push edx 0x0000002a jne 00007F3CA4739FE6h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116506B second address: 116506F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11652EC second address: 11652F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11652F1 second address: 1165308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4BF78AFh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165308 second address: 1165335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3CA4739FF5h 0x00000010 jmp 00007F3CA4739FEDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1165335 second address: 116533B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116860C second address: 1168612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168612 second address: 1168650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e jbe 00007F3CA4BF78C3h 0x00000014 jmp 00007F3CA4BF78B2h 0x00000019 jmp 00007F3CA4BF78ABh 0x0000001e jg 00007F3CA4BF78A8h 0x00000024 push eax 0x00000025 pop eax 0x00000026 popad 0x00000027 pushad 0x00000028 push ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168650 second address: 1168656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168656 second address: 116865F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116865F second address: 1168690 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4739FE6h 0x00000008 jmp 00007F3CA4739FECh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F3CA4739FF3h 0x00000014 jns 00007F3CA4739FEEh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1167D83 second address: 1167D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1167D8C second address: 1167D94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168039 second address: 1168069 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B5h 0x00000007 jnl 00007F3CA4BF78A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 jmp 00007F3CA4BF78AAh 0x00000017 pop edi 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1168069 second address: 1168079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3CA4739FE6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116CFD6 second address: 116CFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F3CA4BF78B6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116CFF5 second address: 116CFFF instructions: 0x00000000 rdtsc 0x00000002 je 00007F3CA4739FEEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116C304 second address: 116C309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116C5CA second address: 116C5D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3CA4739FE6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116C5D8 second address: 116C5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3CA4BF78B2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116C5F1 second address: 116C5F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116CA42 second address: 116CA4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3CA4BF78A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 116CA4D second address: 116CA83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3CA4739FEEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f push eax 0x00000010 jmp 00007F3CA4739FF6h 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push edx 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D63C4 second address: 10D63D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4BF78AEh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D63D9 second address: 10D63DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10D63DF second address: 10D63F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ADh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117433E second address: 1174345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174345 second address: 117434F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174512 second address: 1174520 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174966 second address: 117496A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117496A second address: 1174972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174BFF second address: 1174C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174C09 second address: 1174C3B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3CA4739FE6h 0x00000008 jmp 00007F3CA4739FECh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F3CA4739FF5h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174C3B second address: 1174C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3CA4BF78A6h 0x0000000a jno 00007F3CA4BF78A6h 0x00000010 jnc 00007F3CA4BF78A6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174C52 second address: 1174C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1174EB0 second address: 1174EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117600C second address: 1176010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173EF9 second address: 1173EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173EFF second address: 1173F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3CA4739FF6h 0x00000012 jc 00007F3CA4739FE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173F28 second address: 1173F32 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4BF78A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173F32 second address: 1173F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173F3C second address: 1173F46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3CA4BF78A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1173F46 second address: 1173F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB80 second address: 117DB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB86 second address: 117DB8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB8E second address: 117DB93 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB93 second address: 117DB99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DB99 second address: 117DBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F3CA4BF78A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DBA6 second address: 117DBAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DBAA second address: 117DBB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DBB8 second address: 117DBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 117DBC2 second address: 117DBDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 10CDA5D second address: 10CDA94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 jmp 00007F3CA4739FF7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1192C10 second address: 1192C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 119B977 second address: 119B9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jng 00007F3CA4739FE6h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F3CA4739FEFh 0x0000001a jmp 00007F3CA4739FF6h 0x0000001f popad 0x00000020 pushad 0x00000021 push edi 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 119B9B7 second address: 119B9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11B3BDA second address: 11B3BE4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3CA4739FF2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11B3BE4 second address: 11B3BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11BCE4A second address: 11BCE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11C1FDD second address: 11C1FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11BB8BB second address: 11BB8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11BB8BF second address: 11BB8CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11BB8CE second address: 11BB8DA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3CA4739FEEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11CF1DC second address: 11CF1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3CA4BF78A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11F8D42 second address: 11F8D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FEEh 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11F8D58 second address: 11F8D5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FA4A3 second address: 11FA4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push edi 0x00000007 pushad 0x00000008 jmp 00007F3CA4739FF7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FA342 second address: 11FA349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FDCE0 second address: 11FDCE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE68A second address: 11FE695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE695 second address: 11FE699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE699 second address: 11FE69D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE69D second address: 11FE6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FF1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE6BA second address: 11FE6BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE849 second address: 11FE850 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE9AF second address: 11FE9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11FE9B3 second address: 11FE9C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 ja 00007F3CA4739FE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 12015F5 second address: 1201621 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4BF78B6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1201621 second address: 120162B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1201C13 second address: 1201C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b pushad 0x0000000c jl 00007F3CA4BF78A8h 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 1204B43 second address: 1204B61 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F3CA4739FFAh 0x0000000e jmp 00007F3CA4739FEEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5730655 second address: 573065B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 573065B second address: 573068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3CA4739FF6h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 573068C second address: 5730690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5730690 second address: 5730696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5730696 second address: 573069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 573069C second address: 57306CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov eax, 788D8163h 0x00000012 mov ch, D0h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3CA4739FEEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306CF second address: 57306D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306D5 second address: 57306D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306D9 second address: 57306F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306F3 second address: 57306F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57306F7 second address: 57306FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570002A second address: 57000A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 411087EAh 0x00000008 mov bh, 38h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4739FF3h 0x00000015 sbb cl, 0000003Eh 0x00000018 jmp 00007F3CA4739FF9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F3CA4739FF0h 0x00000024 sbb ch, 00000038h 0x00000027 jmp 00007F3CA4739FEBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F3CA4739FF0h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57000A0 second address: 57000A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770008 second address: 577000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577000C second address: 577001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577001F second address: 5770025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770025 second address: 5770029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770029 second address: 5770088 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4739FEBh 0x00000015 add ch, 0000005Eh 0x00000018 jmp 00007F3CA4739FF9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F3CA4739FF0h 0x00000024 or al, 00000058h 0x00000027 jmp 00007F3CA4739FEBh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770088 second address: 5770106 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3CA4BF78B1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F3CA4BF78AEh 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 mov bl, al 0x0000001a pushfd 0x0000001b jmp 00007F3CA4BF78B3h 0x00000020 and cx, E4DEh 0x00000025 jmp 00007F3CA4BF78B9h 0x0000002a popfd 0x0000002b popad 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770106 second address: 577010A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577010A second address: 577011D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56F0CEA second address: 56F0CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56F0CF0 second address: 56F0D02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov edx, 6D5F4EB8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56F0D02 second address: 56F0D36 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3CA4739FF1h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, edx 0x0000000c popad 0x0000000d push dword ptr [ebp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA4739FF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56F0D94 second address: 56F0DD0 instructions: 0x00000000 rdtsc 0x00000002 mov esi, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushfd 0x0000000c jmp 00007F3CA4BF78B9h 0x00000011 sub cx, 66D6h 0x00000016 jmp 00007F3CA4BF78B1h 0x0000001b popfd 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760B73 second address: 5760B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760B77 second address: 5760B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760B7D second address: 5760B9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760B9A second address: 5760BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov esi, edx 0x00000012 pushfd 0x00000013 jmp 00007F3CA4BF78AFh 0x00000018 jmp 00007F3CA4BF78B3h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740AE6 second address: 5740B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F3CA4739FF5h 0x00000010 sub eax, 58D73106h 0x00000016 jmp 00007F3CA4739FF1h 0x0000001b popfd 0x0000001c push ecx 0x0000001d pop ebx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740B21 second address: 5740B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740B27 second address: 5740B4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3CA4739FF2h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57903C0 second address: 57903EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4BF78B7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57903EC second address: 5790418 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4739FECh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5790418 second address: 5790457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 jmp 00007F3CA4BF78AAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F3CA4BF78B0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F3CA4BF78B7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5790457 second address: 5790474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3CA4739FEFh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5790474 second address: 5790491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770D5F second address: 5770DF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 2Dh 0x00000005 pushfd 0x00000006 jmp 00007F3CA4739FF8h 0x0000000b add esi, 2E82C6C8h 0x00000011 jmp 00007F3CA4739FEBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov dh, al 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F3CA4739FF7h 0x00000025 jmp 00007F3CA4739FF3h 0x0000002a popfd 0x0000002b pushad 0x0000002c popad 0x0000002d popad 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F3CA4739FEEh 0x00000038 sbb esi, 00CDD6B8h 0x0000003e jmp 00007F3CA4739FEBh 0x00000043 popfd 0x00000044 popad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770DF0 second address: 5770DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770DF4 second address: 5770E44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3CA4739FEEh 0x00000012 or cx, F048h 0x00000017 jmp 00007F3CA4739FEBh 0x0000001c popfd 0x0000001d mov edx, eax 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F3CA4739FECh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770E44 second address: 5770E53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700689 second address: 570068F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570068F second address: 5700693 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700693 second address: 57006A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57006A2 second address: 57006A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57006A6 second address: 57006C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57006C1 second address: 570070C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007F3CA4BF78ABh 0x0000000c sub ecx, 7424150Eh 0x00000012 jmp 00007F3CA4BF78B9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F3CA4BF78AEh 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570070C second address: 5700713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700713 second address: 5700719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700719 second address: 570071D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570071D second address: 570073A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 mov eax, edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C17 second address: 5760C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C1B second address: 5760C1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C1F second address: 5760C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C25 second address: 5760C70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 pushfd 0x00000006 jmp 00007F3CA4BF78AEh 0x0000000b sub esi, 7DE18BD8h 0x00000011 jmp 00007F3CA4BF78ABh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F3CA4BF78B6h 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov ax, BA13h 0x00000028 push eax 0x00000029 pop edx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C70 second address: 5760C84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C84 second address: 5760C88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760C88 second address: 5760CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3CA4739FF9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CAE second address: 5760CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CB2 second address: 5760CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CB8 second address: 5760CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4BF78B3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CCF second address: 5760CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CD3 second address: 5760CE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b movsx edx, ax 0x0000000e push eax 0x0000000f push edx 0x00000010 mov dx, cx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760CE6 second address: 5760D11 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3CA4739FF6h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3CA4739FECh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577036F second address: 5770373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770373 second address: 5770377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770377 second address: 577037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577037D second address: 57703BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 pushfd 0x00000006 jmp 00007F3CA4739FF1h 0x0000000b and ecx, 79E9B3C6h 0x00000011 jmp 00007F3CA4739FF1h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3CA4739FEDh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57703BF second address: 577045B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3CA4BF78B7h 0x00000008 mov si, 514Fh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F3CA4BF78B5h 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F3CA4BF78ACh 0x0000001d sub ecx, 4A52B128h 0x00000023 jmp 00007F3CA4BF78ABh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F3CA4BF78B8h 0x0000002f sub cx, E388h 0x00000034 jmp 00007F3CA4BF78ABh 0x00000039 popfd 0x0000003a popad 0x0000003b mov ebp, esp 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F3CA4BF78B5h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577045B second address: 577048F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3CA4739FF8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 577048F second address: 5770493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5770493 second address: 5770499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A33 second address: 5740A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A37 second address: 5740A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A3D second address: 5740A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A43 second address: 5740A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740A47 second address: 5740A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F3CA4BF78B2h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushad 0x00000013 mov ebx, ecx 0x00000015 mov bx, si 0x00000018 popad 0x00000019 pushad 0x0000001a mov ch, 97h 0x0000001c mov ax, di 0x0000001f popad 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 mov bl, D1h 0x00000026 mov bx, si 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F3CA4BF78B9h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57207F3 second address: 5720831 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3CA4739FEEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F3CA4739FEDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5720831 second address: 5720846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780D97 second address: 5780D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780D9B second address: 5780DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DA1 second address: 5780DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DA7 second address: 5780DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DAB second address: 5780DD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov bl, 41h 0x00000011 mov dx, cx 0x00000014 popad 0x00000015 and ecx, 1Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx ebx, si 0x0000001e mov cx, 45DFh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DD7 second address: 5780DF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DF8 second address: 5780DFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780DFC second address: 5780E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780E02 second address: 5780E30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 jmp 00007F3CA4739FECh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d leave 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3CA4739FF7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740126 second address: 5740147 instructions: 0x00000000 rdtsc 0x00000002 mov si, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push esp 0x00000009 pushad 0x0000000a push ecx 0x0000000b mov bh, 08h 0x0000000d pop eax 0x0000000e mov cx, bx 0x00000011 popad 0x00000012 mov dword ptr [esp], ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3CA4BF78AAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740147 second address: 57401BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007F3CA4739FF6h 0x00000011 xchg eax, esi 0x00000012 jmp 00007F3CA4739FF0h 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F3CA4739FF7h 0x00000021 adc ax, 483Eh 0x00000026 jmp 00007F3CA4739FF9h 0x0000002b popfd 0x0000002c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57401BB second address: 5740228 instructions: 0x00000000 rdtsc 0x00000002 mov ah, B7h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, 4A20h 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c jmp 00007F3CA4BF78AFh 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 jmp 00007F3CA4BF78B6h 0x00000019 xchg eax, edi 0x0000001a pushad 0x0000001b mov dx, E1B0h 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 call 00007F3CA4BF78B4h 0x00000027 movzx ecx, bx 0x0000002a pop edi 0x0000002b mov cl, 34h 0x0000002d popad 0x0000002e xchg eax, edi 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F3CA4BF78B2h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740228 second address: 574022E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 574022E second address: 5740232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760023 second address: 5760066 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3CA4739FF2h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F3CA4739FEEh 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3CA4739FF7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760066 second address: 57600BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 10CC9011h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F3CA4BF78ACh 0x00000012 and esp, FFFFFFF8h 0x00000015 pushad 0x00000016 movzx eax, dx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F3CA4BF78B9h 0x00000021 and ecx, 11D9F186h 0x00000027 jmp 00007F3CA4BF78B1h 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600BA second address: 57600D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600D6 second address: 57600F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600F3 second address: 57600F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600F9 second address: 57600FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57600FD second address: 5760166 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4739FF2h 0x00000015 jmp 00007F3CA4739FF5h 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F3CA4739FF0h 0x00000021 and ax, 4678h 0x00000026 jmp 00007F3CA4739FEBh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760166 second address: 57601AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F3CA4BF78AEh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA4BF78B7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57601AC second address: 57601C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57601C4 second address: 57601EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop edi 0x00000011 call 00007F3CA4BF78AEh 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57601EB second address: 5760239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 021CE50Dh 0x00000008 mov si, C509h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 mov esi, 05BE0C41h 0x00000016 pushfd 0x00000017 jmp 00007F3CA4739FEEh 0x0000001c jmp 00007F3CA4739FF5h 0x00000021 popfd 0x00000022 popad 0x00000023 mov esi, dword ptr [ebp+08h] 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F3CA4739FEDh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760239 second address: 5760249 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4BF78ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760249 second address: 576026F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F3CA4739FF4h 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576026F second address: 5760275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760275 second address: 5760279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760279 second address: 576033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e movzx ecx, di 0x00000011 pushad 0x00000012 call 00007F3CA4BF78B9h 0x00000017 pop esi 0x00000018 mov ah, dl 0x0000001a popad 0x0000001b popad 0x0000001c je 00007F3D163BD986h 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F3CA4BF78B6h 0x00000029 sbb esi, 4EE73E38h 0x0000002f jmp 00007F3CA4BF78ABh 0x00000034 popfd 0x00000035 jmp 00007F3CA4BF78B8h 0x0000003a popad 0x0000003b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000042 jmp 00007F3CA4BF78B0h 0x00000047 mov ecx, esi 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007F3CA4BF78ADh 0x00000052 add ax, 5E36h 0x00000057 jmp 00007F3CA4BF78B1h 0x0000005c popfd 0x0000005d push eax 0x0000005e pop edi 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576033B second address: 5760341 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760341 second address: 5760345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760345 second address: 5760377 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F3D15F0002Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3CA4739FF5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760377 second address: 57603C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 jmp 00007F3CA4BF78AEh 0x00000015 jne 00007F3D163BD8BBh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3CA4BF78B7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57603C0 second address: 57603C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57603C6 second address: 57603CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57603CA second address: 57603FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [ebp+0Ch] 0x0000000e jmp 00007F3CA4739FF6h 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 mov si, 498Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57603FC second address: 576041C instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3CA4BF78B3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576041C second address: 5760420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760420 second address: 5760426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760426 second address: 57604CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 pushfd 0x00000007 jmp 00007F3CA4739FEEh 0x0000000c add eax, 5DFECB98h 0x00000012 jmp 00007F3CA4739FEBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F3CA4739FF1h 0x00000024 sbb ax, 2936h 0x00000029 jmp 00007F3CA4739FF1h 0x0000002e popfd 0x0000002f mov ax, 9527h 0x00000033 popad 0x00000034 popad 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 call 00007F3CA4739FF8h 0x0000003c pushfd 0x0000003d jmp 00007F3CA4739FF2h 0x00000042 add esi, 33E05AB8h 0x00000048 jmp 00007F3CA4739FEBh 0x0000004d popfd 0x0000004e pop esi 0x0000004f push edx 0x00000050 mov edx, eax 0x00000052 pop eax 0x00000053 popad 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 mov esi, edi 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57604CF second address: 57604D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57604D4 second address: 5760504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4739FF7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760504 second address: 5760533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 mov edi, 09D91166h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+14h] 0x00000010 jmp 00007F3CA4BF78ADh 0x00000015 push dword ptr [ebp+10h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3CA4BF78ADh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576055C second address: 576059E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3CA4739FF6h 0x00000013 or cx, 08F8h 0x00000018 jmp 00007F3CA4739FEBh 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 576059E second address: 57605A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57605A4 second address: 57605A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740ED2 second address: 5740ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740ED6 second address: 5740EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740EDA second address: 5740EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740EE0 second address: 5740EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740EE6 second address: 5740F6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3CA4BF78ADh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 call 00007F3CA4BF78ACh 0x00000015 mov di, si 0x00000018 pop esi 0x00000019 pushfd 0x0000001a jmp 00007F3CA4BF78B7h 0x0000001f xor cl, FFFFFFFEh 0x00000022 jmp 00007F3CA4BF78B9h 0x00000027 popfd 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b jmp 00007F3CA4BF78AEh 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F3CA4BF78B7h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740F6E second address: 5740F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AAC second address: 57B1AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AB2 second address: 57B1AB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AB6 second address: 57B1AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov dx, 7A56h 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 movzx eax, dx 0x00000017 movsx edx, ax 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3CA4BF78ADh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AEF second address: 57B1AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1AF5 second address: 57B1B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e movzx esi, dx 0x00000011 mov ecx, ebx 0x00000013 popad 0x00000014 push 0000007Fh 0x00000016 jmp 00007F3CA4BF78B3h 0x0000001b push 00000001h 0x0000001d jmp 00007F3CA4BF78B6h 0x00000022 push dword ptr [ebp+08h] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F3CA4BF78AAh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57B1B55 second address: 57B1B5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002AA second address: 57002D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 call 00007F3CA4BF78B8h 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 mov bx, B37Ch 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002D7 second address: 57002DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002DD second address: 57002F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002F8 second address: 57002FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57002FE second address: 5700304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700304 second address: 5700308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700308 second address: 5700343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F3CA4BF78AEh 0x00000014 adc eax, 3DE8E028h 0x0000001a jmp 00007F3CA4BF78ABh 0x0000001f popfd 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700343 second address: 5700387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F3CA4739FF3h 0x00000012 adc ecx, 2445D21Eh 0x00000018 jmp 00007F3CA4739FF9h 0x0000001d popfd 0x0000001e movzx ecx, bx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700387 second address: 570038D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570038D second address: 5700391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700391 second address: 57003E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4BF78ACh 0x00000015 xor esi, 38AED278h 0x0000001b jmp 00007F3CA4BF78ABh 0x00000020 popfd 0x00000021 jmp 00007F3CA4BF78B8h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57003E7 second address: 57003ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57003ED second address: 57003F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57003F1 second address: 57003F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57003F5 second address: 5700450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F3CA4BF78AFh 0x00000010 sbb ax, 879Eh 0x00000015 jmp 00007F3CA4BF78B9h 0x0000001a popfd 0x0000001b mov edi, ecx 0x0000001d popad 0x0000001e and dword ptr [ebp-04h], 00000000h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F3CA4BF78B9h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700450 second address: 570049A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, dh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3CA4739FF1h 0x00000013 and esi, 30B4A1E6h 0x00000019 jmp 00007F3CA4739FF1h 0x0000001e popfd 0x0000001f mov esi, 54273417h 0x00000024 popad 0x00000025 mov esi, 7A60FAB3h 0x0000002a popad 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570049A second address: 57004A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700539 second address: 570053F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 570053F second address: 5700543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5700543 second address: 5700547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56E0A8B second address: 56E0A9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4BF78AEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56E0A9D second address: 56E0ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F3CA4739FECh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56E0ABB second address: 56E0ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 56E0ABF second address: 56E0AC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11148F6 second address: 11148FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 11148FC second address: 1114906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F3CA4739FE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 579055A second address: 57905C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3CA4BF78ABh 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3CA4BF78B7h 0x00000017 jmp 00007F3CA4BF78B3h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F3CA4BF78B8h 0x00000023 adc ecx, 1D41CA68h 0x00000029 jmp 00007F3CA4BF78ABh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57905C9 second address: 57905EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov edi, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3CA4739FF4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57905EE second address: 57905F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57905F4 second address: 57905FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B2D3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57905FD second address: 5790632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F3CA4BF78B1h 0x00000011 sub ah, FFFFFF96h 0x00000014 jmp 00007F3CA4BF78B1h 0x00000019 popfd 0x0000001a mov dh, ch 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5790632 second address: 579064F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3CA4739FF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760DEB second address: 5760DF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760DF1 second address: 5760DF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760DF5 second address: 5760E1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cx, bx 0x0000000f call 00007F3CA4BF78B7h 0x00000014 pop esi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760E1D second address: 5760E5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3CA4739FEDh 0x00000015 jmp 00007F3CA4739FEBh 0x0000001a popfd 0x0000001b mov di, ax 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5760E5B second address: 5760E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov di, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3CA4BF78B5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5740CA9 second address: 5740D28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 pushfd 0x00000006 jmp 00007F3CA4739FF1h 0x0000000b adc ah, FFFFFFD6h 0x0000000e jmp 00007F3CA4739FF1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F3CA4739FEEh 0x0000001d push eax 0x0000001e jmp 00007F3CA4739FEBh 0x00000023 xchg eax, ebp 0x00000024 jmp 00007F3CA4739FF6h 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c movzx ecx, bx 0x0000002f movsx edx, ax 0x00000032 popad 0x00000033 pop ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F3CA4739FF1h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D00EA second address: 57D0143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3CA4BF78B7h 0x00000009 xor al, FFFFFF8Eh 0x0000000c jmp 00007F3CA4BF78B9h 0x00000011 popfd 0x00000012 mov esi, 09A42497h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F3CA4BF78B4h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0143 second address: 57D0149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0149 second address: 57D014E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D014E second address: 57D0170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3CA4739FEAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3CA4739FEEh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0170 second address: 57D0258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov esi, edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F3CA4BF78B9h 0x00000010 mov ebp, esp 0x00000012 jmp 00007F3CA4BF78AEh 0x00000017 push dword ptr [ebp+0Ch] 0x0000001a pushad 0x0000001b movzx esi, dx 0x0000001e mov si, bx 0x00000021 popad 0x00000022 push dword ptr [ebp+08h] 0x00000025 pushad 0x00000026 pushad 0x00000027 mov edx, 3BB62804h 0x0000002c pushfd 0x0000002d jmp 00007F3CA4BF78ADh 0x00000032 sbb cl, 00000046h 0x00000035 jmp 00007F3CA4BF78B1h 0x0000003a popfd 0x0000003b popad 0x0000003c pushfd 0x0000003d jmp 00007F3CA4BF78B0h 0x00000042 adc ecx, 3D980FE8h 0x00000048 jmp 00007F3CA4BF78ABh 0x0000004d popfd 0x0000004e popad 0x0000004f call 00007F3CA4BF78A9h 0x00000054 jmp 00007F3CA4BF78B6h 0x00000059 push eax 0x0000005a jmp 00007F3CA4BF78ABh 0x0000005f mov eax, dword ptr [esp+04h] 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 pushad 0x00000067 popad 0x00000068 pushfd 0x00000069 jmp 00007F3CA4BF78B0h 0x0000006e and si, E4A8h 0x00000073 jmp 00007F3CA4BF78ABh 0x00000078 popfd 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0258 second address: 57D0274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3CA4739FEDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D0274 second address: 57D029B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3CA4BF78ACh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57D029B second address: 57D02C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007F3CA4739FF2h 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578063E second address: 5780642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780642 second address: 578065A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578065A second address: 57806E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3CA4BF78B6h 0x0000000f push eax 0x00000010 jmp 00007F3CA4BF78ABh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F3CA4BF78B6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e call 00007F3CA4BF78AEh 0x00000023 jmp 00007F3CA4BF78B2h 0x00000028 pop ecx 0x00000029 mov cl, dh 0x0000002b popad 0x0000002c and esp, FFFFFFF0h 0x0000002f jmp 00007F3CA4BF78AAh 0x00000034 sub esp, 44h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F3CA4BF78AAh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57806E8 second address: 57806EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57806EE second address: 5780719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 6F6B2663h 0x00000008 call 00007F3CA4BF78B8h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780719 second address: 578072C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578072C second address: 578076F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 mov bl, cl 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 pushad 0x00000013 movsx edi, si 0x00000016 movzx eax, di 0x00000019 popad 0x0000001a popad 0x0000001b push ebp 0x0000001c jmp 00007F3CA4BF78B4h 0x00000021 mov dword ptr [esp], esi 0x00000024 pushad 0x00000025 mov eax, 3AED972Dh 0x0000002a mov bl, ah 0x0000002c popad 0x0000002d push ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578076F second address: 57807B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c jmp 00007F3CA4739FEEh 0x00000011 mov edi, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3CA4739FF7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57807B9 second address: 57807BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57807BF second address: 578087A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+24h], 00000000h 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F3CA4739FEDh 0x00000017 or ax, F7A6h 0x0000001c jmp 00007F3CA4739FF1h 0x00000021 popfd 0x00000022 call 00007F3CA4739FF0h 0x00000027 pushfd 0x00000028 jmp 00007F3CA4739FF2h 0x0000002d sub ecx, 6D198078h 0x00000033 jmp 00007F3CA4739FEBh 0x00000038 popfd 0x00000039 pop ecx 0x0000003a popad 0x0000003b lock bts dword ptr [edi], 00000000h 0x00000040 jmp 00007F3CA4739FEFh 0x00000045 jc 00007F3D15E8BBD9h 0x0000004b pushad 0x0000004c pushad 0x0000004d mov ax, di 0x00000050 popad 0x00000051 pushfd 0x00000052 jmp 00007F3CA4739FEDh 0x00000057 add ecx, 4C4A63C6h 0x0000005d jmp 00007F3CA4739FF1h 0x00000062 popfd 0x00000063 popad 0x00000064 pop edi 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578087A second address: 578087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 578087E second address: 5780884 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780884 second address: 57808D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3CA4BF78B0h 0x00000009 jmp 00007F3CA4BF78B5h 0x0000000e popfd 0x0000000f mov ecx, 793B0B47h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3CA4BF78B9h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57808D2 second address: 57808F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3CA4739FEDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802A1 second address: 57802A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802A5 second address: 57802AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802AB second address: 57802DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3CA4BF78B2h 0x00000009 add si, BFC8h 0x0000000e jmp 00007F3CA4BF78ABh 0x00000013 popfd 0x00000014 movzx esi, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802DF second address: 57802E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802E3 second address: 57802E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57802E9 second address: 5780373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4739FF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F3CA4739FF0h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F3CA4739FF0h 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a pushad 0x0000001b call 00007F3CA4739FECh 0x00000020 pop eax 0x00000021 pushfd 0x00000022 jmp 00007F3CA4739FEBh 0x00000027 or si, A97Eh 0x0000002c jmp 00007F3CA4739FF9h 0x00000031 popfd 0x00000032 popad 0x00000033 mov edx, ecx 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a mov cx, 22D5h 0x0000003e mov esi, 69701751h 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780373 second address: 57803BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3CA4BF78B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F3CA4BF78B6h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3CA4BF78B7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57803BF second address: 57803C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 57803C4 second address: 5780400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F3CA4BF78B5h 0x0000000a or eax, 690E0FD6h 0x00000010 jmp 00007F3CA4BF78B1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780400 second address: 5780404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	RDTSC instruction interceptor: First address: 5780404 second address: 578040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Special instruction interceptor: First address: F67AE9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Special instruction interceptor: First address: 112FF7B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Special instruction interceptor: First address: 111AB13 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Special instruction interceptor: First address: 1181C6C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 917AE9 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: ADFF7B instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: ACAB13 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: B31C6C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: C07AE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: DCFF7B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: DBAB13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: E21C6C instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_056D0BC1 rdtsc

Found decision node followed by non-executed suspicious APIs

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E933B0 FindFirstFileA,FindNextFileA,	0_2_00E933B0
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00EB3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_00EB3B20
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E01F8C FindFirstFileExW,	0_2_00E01F8C

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Source: 0BzQNa8hYd.exe, 00000000.00000003.1771684754.000000000823C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}I
Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}?
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000700000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000690000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: i\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&v
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1871030062.0000000001503000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.0000000001148000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1869499685.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001787000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.000000000174B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2035206421.00000000006ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000000F.00000003.1964970556.0000000000706000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}3
Source: RageMP131.exe, 0000000A.00000003.1870950766.0000000001760000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001990000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RageMP131.exe, RageMP131.exe, 0000000F.00000002.2035832776.0000000000D87000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000006.00000002.1869499685.00000000010AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771684754.000000000823C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8554E7C2
Source: MPGPH131.exe, 00000006.00000002.1869499685.000000000110B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 0000000F.00000003.1964970556.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771684754.000000000823C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8554E7C2p
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000005.00000002.1871030062.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: RageMP131.exe, 0000000F.00000003.1964970556.0000000000706000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}m
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RageMP131.exe, 0000000F.00000002.2035206421.0000000000722000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.00000000019F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A2A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.1935964925.0000000001779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: 0BzQNa8hYd.exe, 00000000.00000002.1961728481.00000000010E7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1868976621.0000000000A97000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.1868779489.0000000000A97000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.1935267704.0000000000D87000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000000F.00000002.2035832776.0000000000D87000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 0000000A.00000002.1935964925.000000000174B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000n
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Process information queried: ProcessInformation

Hides threads from debuggers

Anti Debugging

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_055000F7 Start: 055003B2 End: 0550015C		10_2_055000F7
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 15_2_04A80129 Start: 04A8068A End: 04A800F5		15_2_04A80129

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_056D0BC1 rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E94130 mov eax, dword ptr fs:[00000030h]		0_2_00E94130
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Code function: 0_2_00E61A60 mov eax, dword ptr fs:[00000030h]		0_2_00E61A60

Binary or memory string: 2Program Manager

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Code function: 0_2_00E0360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00E0360D

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Yara match	File source: 00000000.00000002.1966072223.00000000081DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1771907750.00000000081DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0BzQNa8hYd.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7596, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\DHpYI8xc8c5WJf_4ET3wn7d.zip, type: DROPPED

Source: 0BzQNa8hYd.exe, 00000000.00000003.1739203023.000000000824D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: 0BzQNa8hYd.exe, 00000000.00000003.1739203023.000000000824D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storage*3
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 0BzQNa8hYd.exe, 00000000.00000003.1772085637.00000000081D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 0BzQNa8hYd.exe, 00000000.00000003.1739203023.000000000824D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.jsonto
Source: 0BzQNa8hYd.exe, 00000000.00000003.1772085637.00000000081D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 0BzQNa8hYd.exe, 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsPN
Source: 0BzQNa8hYd.exe, 00000000.00000003.1771301416.00000000081CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\0BzQNa8hYd.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1962838850.0000000001A4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0BzQNa8hYd.exe PID: 7116, type: MEMORYSTR

Remote Access Functionality