Windows Analysis Report
RY5YJaMEWE.exe

Overview

General Information

Sample name: RY5YJaMEWE.exe
renamed because original name is a hash value
Original sample name: deb3d632d4289a2efb454801f3f26f3f.exe
Analysis ID: 1435299
MD5: deb3d632d4289a2efb454801f3f26f3f
SHA1: 63b751ae4671d0c90f198ece15f2d3cad4066bb2
SHA256: febd86302b334475fb190bb39f59d8466df092d49373f4ef18a889d10a579230
Tags: 32exetrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.56/cost/go.exe Virustotal: Detection: 19% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/cost/sok.exe Virustotal: Detection: 21% Perma Link
Source: http://193.233.132.56/cost/lenin.exe Virustotal: Detection: 21% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 52%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 51% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 51% Perma Link
Multi AV Scanner detection for submitted file
Source: RY5YJaMEWE.exe ReversingLabs: Detection: 52%
Source: RY5YJaMEWE.exe Virustotal: Detection: 51% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RY5YJaMEWE.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F53EB0 CryptUnprotectData,CryptUnprotectData, 0_2_00F53EB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DF3EB0 CryptUnprotectData,CryptUnprotectData, 5_2_00DF3EB0
Uses 32bit PE files
Source: RY5YJaMEWE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F533B0 FindFirstFileA,FindNextFileA, 0_2_00F533B0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F73B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00F73B20
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EC1F8C FindFirstFileExW, 0_2_00EC1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DF33B0 FindFirstFileA,FindNextFileA, 5_2_00DF33B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E13B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 5_2_00E13B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D61F8C FindFirstFileExW, 5_2_00D61F8C
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_26de04c8d919827ad7c739526e9c9b66736d74_2d68038f_f0c4e445-146a-4765-8d64-007cf2e79cd3\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RY5YJaMEWE.exe_ff2c736c48ccb2a3339f60d7d435f1196e869cc4_ea0d20ec_73492806-5dcc-4638-baa6-02712be402eb\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49734
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49734
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49734 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49748
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49761
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49761 -> 147.45.47.93:58709
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 172.67.75.166 172.67.75.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F552A0 recv, 0_2_00F552A0
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.01t4
Source: MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exet
Source: RY5YJaMEWE.exe, 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1965122157.00000000081D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1831725867.00000000081D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe;
Source: MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeuu
Source: RY5YJaMEWE.exe, 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe
Source: MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe0.225
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe4
Source: MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exeKu
Source: RY5YJaMEWE.exe, 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exelibermg
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: RY5YJaMEWE.exe, 00000000.00000002.1966634727.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1607062296.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1987575469.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1676041729.0000000005620000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1927863301.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1828117687.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1963824301.0000000000E71000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000002.2099361806.0000000000E71000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000003.1916661548.00000000056A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/3d;
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/?d
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2255%
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225=
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225D
Source: RageMP131.exe, 00000008.00000002.1967086376.00000000016F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225T
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/k/
Source: RageMP131.exe, 00000008.00000002.1967086376.00000000016F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/y
Source: MPGPH131.exe, 00000006.00000002.1928633812.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001A8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225A
Source: MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.0000000001737000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.00000000019B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000006.00000002.1928633812.00000000018B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/TV
Source: RY5YJaMEWE.exe, 00000000.00000002.1966634727.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1607062296.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1987575469.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1676041729.0000000005620000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1927863301.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1828117687.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1963824301.0000000000E71000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000002.2099361806.0000000000E71000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000003.1916661548.00000000056A0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.1928633812.000000000187A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001ACD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000080C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.000000000186B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.000000000168A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.00000000016D9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001A8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001A8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.2256
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000080C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225F
Source: MPGPH131.exe, 00000006.00000002.1928633812.000000000186B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225g
Source: MPGPH131.exe, 00000005.00000002.2003412221.00000000019B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225xD7
Source: MPGPH131.exe, 00000005.00000002.2003412221.0000000001957000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/y
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.00000000019B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.00000000018C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001A8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: RageMP131.exe, 00000008.00000002.1967086376.00000000016D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225m
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RY5YJaMEWE.exe, 00000000.00000003.1731614318.0000000007890000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1796854496.0000000008218000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1791710392.00000000081EB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1792026941.000000000820B000.00000004.00000020.00020000.00000000.sdmp, uCxVeEHNaogpHistory.6.dr, 0vRICwDDA0AEHistory.6.dr, mQv7wn9CFqHtHistory.0.dr, OwXvTgbw3rfMHistory.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: uCxVeEHNaogpHistory.6.dr, 0vRICwDDA0AEHistory.6.dr, mQv7wn9CFqHtHistory.0.dr, OwXvTgbw3rfMHistory.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RY5YJaMEWE.exe, 00000000.00000003.1731614318.0000000007890000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1796854496.0000000008218000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1791710392.00000000081EB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1792026941.000000000820B000.00000004.00000020.00020000.00000000.sdmp, uCxVeEHNaogpHistory.6.dr, 0vRICwDDA0AEHistory.6.dr, mQv7wn9CFqHtHistory.0.dr, OwXvTgbw3rfMHistory.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: uCxVeEHNaogpHistory.6.dr, 0vRICwDDA0AEHistory.6.dr, mQv7wn9CFqHtHistory.0.dr, OwXvTgbw3rfMHistory.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RY5YJaMEWE.exe, 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000079E000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.000000000192D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.000000000183A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1800568214.00000000081E4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1964682941.0000000008180000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.000000000164E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001A8B000.00000004.00000020.00020000.00000000.sdmp, ayJ4OMtTVlGKUrWcidqotQg.zip.0.dr, KF_fRlziJ7p5GphJKRn0mxX.zip.6.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1964682941.0000000008180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT=
Source: MPGPH131.exe, 00000006.00000002.1928633812.000000000183A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTE
Source: MPGPH131.exe, 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTGb
Source: MPGPH131.exe, 00000006.00000002.1964682941.0000000008180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTI
Source: RageMP131.exe, 00000008.00000002.1967086376.000000000164E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTc.
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000079E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTr
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro7
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro79
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001B73000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.dr String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot#;
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot)eV
Source: RageMP131.exe, 00000008.00000002.1967086376.00000000016F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_botkt
Source: MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater
Source: RageMP131.exe, 00000008.00000002.1967086376.00000000016F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlaterH
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botv
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: RY5YJaMEWE.exe, 00000000.00000003.1733342484.00000000078AB000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732051317.00000000078A2000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790390523.00000000081FC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793099877.000000000820B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797813192.0000000008229000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1793113278.000000000822D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788630015.00000000081F4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1789494955.0000000008206000.00000004.00000020.00020000.00000000.sdmp, ABmIzarrvOTcWeb Data.6.dr, MSpOulrR3IH2Web Data.6.dr, 5yrwZseMxE54Web Data.6.dr, L8kilZRULjEnWeb Data.0.dr, xi_e3rZqjpmOWeb Data.0.dr, gP77Ft0tqGf_Web Data.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RY5YJaMEWE.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RY5YJaMEWE.exe, 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1964682941.00000000081BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1965122157.00000000081D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1831725867.00000000081D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RY5YJaMEWE.exe, 00000000.00000002.1971808377.000000000786A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731472266.000000000786A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732456732.000000000786A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1783043958.000000000786A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732335452.000000000786A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1798274470.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1815613084.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1814996204.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1794402666.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1800915682.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797481502.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1788747211.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1859115974.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1792487402.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1791784189.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793588263.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1789360691.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2006473313.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1801682548.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1789758790.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1791339914.00000000081E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000006.00000002.1964682941.00000000081BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/L
Source: RY5YJaMEWE.exe, 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/X
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RY5YJaMEWE.exe, 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1964682941.00000000081BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1965122157.00000000081D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1831725867.00000000081D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MPGPH131.exe, 00000006.00000002.1964682941.00000000081BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/U
Source: MPGPH131.exe, 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/esktop
Source: RY5YJaMEWE.exe, 00000000.00000002.1971808377.000000000786A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731472266.000000000786A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732456732.000000000786A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1783043958.000000000786A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1732335452.000000000786A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1798274470.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1815613084.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1814996204.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1794402666.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1800915682.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1797481502.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1788747211.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1859115974.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1792487402.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1791784189.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1793588263.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1789360691.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2006473313.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1801682548.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1789758790.00000000081E3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1791339914.00000000081E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RY5YJaMEWE.exe, 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49763 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: RY5YJaMEWE.exe Static PE information: section name:
Source: RY5YJaMEWE.exe Static PE information: section name: .idata
Source: RY5YJaMEWE.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F88080 0_2_00F88080
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00ED001D 0_2_00ED001D
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F261D0 0_2_00F261D0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F6D2B0 0_2_00F6D2B0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F6C3E0 0_2_00F6C3E0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F6B7E0 0_2_00F6B7E0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F0F730 0_2_00F0F730
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00E9B8E0 0_2_00E9B8E0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00FCC8D0 0_2_00FCC8D0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F649B0 0_2_00F649B0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F28A80 0_2_00F28A80
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F21A60 0_2_00F21A60
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F2CBF0 0_2_00F2CBF0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F37D20 0_2_00F37D20
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F23ED0 0_2_00F23ED0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F2AEC0 0_2_00F2AEC0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EE8E20 0_2_00EE8E20
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F1DF60 0_2_00F1DF60
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00FC20C0 0_2_00FC20C0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00FD40A0 0_2_00FD40A0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EC7190 0_2_00EC7190
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00FD3160 0_2_00FD3160
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F31130 0_2_00F31130
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F12100 0_2_00F12100
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00FCF280 0_2_00FCF280
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F80350 0_2_00F80350
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00ED035F 0_2_00ED035F
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EBF570 0_2_00EBF570
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EE47AD 0_2_00EE47AD
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00ECC950 0_2_00ECC950
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00ECA918 0_2_00ECA918
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00FD4AE0 0_2_00FD4AE0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EDDA74 0_2_00EDDA74
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00FD5A40 0_2_00FD5A40
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EE8BA0 0_2_00EE8BA0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F20BA0 0_2_00F20BA0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F74B90 0_2_00F74B90
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F31E40 0_2_00F31E40
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F7CFC0 0_2_00F7CFC0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F7BFC0 0_2_00F7BFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E28080 5_2_00E28080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D7001D 5_2_00D7001D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DC61D0 5_2_00DC61D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E0D2B0 5_2_00E0D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E0C3E0 5_2_00E0C3E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E0B7E0 5_2_00E0B7E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DAF730 5_2_00DAF730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D3B8E0 5_2_00D3B8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E6C8D0 5_2_00E6C8D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E049B0 5_2_00E049B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DC8A80 5_2_00DC8A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DC1A60 5_2_00DC1A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DCCBF0 5_2_00DCCBF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DD7D20 5_2_00DD7D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DC3ED0 5_2_00DC3ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DCAEC0 5_2_00DCAEC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DBDF60 5_2_00DBDF60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E620C0 5_2_00E620C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E740A0 5_2_00E740A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D67190 5_2_00D67190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E73160 5_2_00E73160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DB2100 5_2_00DB2100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DD1130 5_2_00DD1130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E6F280 5_2_00E6F280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D7035F 5_2_00D7035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E20350 5_2_00E20350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D5F570 5_2_00D5F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D847AD 5_2_00D847AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D6C950 5_2_00D6C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D6A918 5_2_00D6A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E74AE0 5_2_00E74AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D7DA74 5_2_00D7DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E75A40 5_2_00E75A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E14B90 5_2_00E14B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D88BA0 5_2_00D88BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DC0BA0 5_2_00DC0BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E8FECB 5_2_00E8FECB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DD1E40 5_2_00DD1E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D88E20 5_2_00D88E20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E1BFC0 5_2_00E1BFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E1CFC0 5_2_00E1CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E90F23 5_2_00E90F23
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00D4ACE0 appears 86 times
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: String function: 00EAACE0 appears 86 times
One or more processes crash
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 2112
Sample file is different than original file name gathered from version info
Source: RY5YJaMEWE.exe Binary or memory string: OriginalFilename vs RY5YJaMEWE.exe
Source: RY5YJaMEWE.exe, 00000000.00000003.1630073451.0000000004D89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs RY5YJaMEWE.exe
Source: RY5YJaMEWE.exe, 00000000.00000002.1966902993.0000000001017000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs RY5YJaMEWE.exe
Source: RY5YJaMEWE.exe, 00000000.00000000.1599875025.0000000001464000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs RY5YJaMEWE.exe
Source: RY5YJaMEWE.exe, 00000000.00000002.1967950362.0000000001464000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs RY5YJaMEWE.exe
Source: RY5YJaMEWE.exe, 00000000.00000002.1970567744.0000000004B80000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs RY5YJaMEWE.exe
Source: RY5YJaMEWE.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs RY5YJaMEWE.exe
Uses 32bit PE files
Source: RY5YJaMEWE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/60@3/3
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F6D2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00F6D2B0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7816
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7808
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RY5YJaMEWE.exe, 00000000.00000002.1966634727.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1607062296.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1987575469.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1676041729.0000000005620000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1927863301.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1828117687.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1963824301.0000000000E71000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000002.2099361806.0000000000E71000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000003.1916661548.00000000056A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RY5YJaMEWE.exe, 00000000.00000002.1966634727.0000000000E91000.00000040.00000001.01000000.00000003.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1607062296.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.1987575469.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1676041729.0000000005620000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1927863301.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.1828117687.00000000054A0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1963824301.0000000000E71000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000002.2099361806.0000000000E71000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000003.1916661548.00000000056A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RY5YJaMEWE.exe, 00000000.00000003.1730903040.0000000007888000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731050629.000000000786B000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731977959.0000000007888000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1731309434.0000000007888000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000003.1730800568.000000000786B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1789319969.0000000008203000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.1790523089.00000000081A3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788396310.00000000081DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1788568773.00000000081DD000.00000004.00000020.00020000.00000000.sdmp, CIatSIfDuVzbLogin Data.6.dr, YwUIAuup7swjLogin Data For Account.0.dr, yCPxSYF0mu4KLogin Data.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RY5YJaMEWE.exe ReversingLabs: Detection: 52%
Source: RY5YJaMEWE.exe Virustotal: Detection: 51%
Source: RY5YJaMEWE.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RY5YJaMEWE.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RY5YJaMEWE.exe String found in binary or memory: -add|'1
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File read: C:\Users\user\Desktop\RY5YJaMEWE.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RY5YJaMEWE.exe "C:\Users\user\Desktop\RY5YJaMEWE.exe"
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7572 -s 2112
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7816 -s 1300
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7808 -s 2064
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: RY5YJaMEWE.exe Static file information: File size 2399744 > 1048576
Source: RY5YJaMEWE.exe Static PE information: Raw size of hkdvbbje is bigger than: 0x100000 < 0x19ac00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Unpacked PE file: 0.2.RY5YJaMEWE.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 5.2.MPGPH131.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.e70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 19.2.RageMP131.exe.e70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hkdvbbje:EW;hzawtfya:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RY5YJaMEWE.exe Static PE information: real checksum: 0x24aafb should be: 0x2508f6
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x24aafb should be: 0x2508f6
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x24aafb should be: 0x2508f6
PE file contains sections with non-standard names
Source: RY5YJaMEWE.exe Static PE information: section name:
Source: RY5YJaMEWE.exe Static PE information: section name: .idata
Source: RY5YJaMEWE.exe Static PE information: section name:
Source: RY5YJaMEWE.exe Static PE information: section name: hkdvbbje
Source: RY5YJaMEWE.exe Static PE information: section name: hzawtfya
Source: RY5YJaMEWE.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: hkdvbbje
Source: RageMP131.exe.0.dr Static PE information: section name: hzawtfya
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: hkdvbbje
Source: MPGPH131.exe.0.dr Static PE information: section name: hzawtfya
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EC3F49 push ecx; ret 0_2_00EC3F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D63F49 push ecx; ret 5_2_00D63F5C
Source: RY5YJaMEWE.exe Static PE information: section name: entropy: 7.924389565460809
Source: RY5YJaMEWE.exe Static PE information: section name: hkdvbbje entropy: 7.9120392889166435
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.924389565460809
Source: RageMP131.exe.0.dr Static PE information: section name: hkdvbbje entropy: 7.9120392889166435
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.924389565460809
Source: MPGPH131.exe.0.dr Static PE information: section name: hkdvbbje entropy: 7.9120392889166435
Drops PE files
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1026934 second address: 102693E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F6F2CD44EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 119D1D0 second address: 119D1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A64BA second address: 11A64C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A64C4 second address: 11A64C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A64C8 second address: 11A64FD instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F2CCA62E6h 0x00000008 jmp 00007F6F2CCA62F5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6F2CCA62F2h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A665A second address: 11A6674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F2CD44EC1h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A6674 second address: 11A6678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A6678 second address: 11A668B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 js 00007F6F2CD44EC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A67CE second address: 11A67D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A67D4 second address: 11A67ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EC4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9D1C second address: 11A9D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9D20 second address: 11A9D36 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F2CD44EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c jo 00007F6F2CD44EC4h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9E16 second address: 11A9E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CCA62F8h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ebx 0x0000000f jns 00007F6F2CCA62ECh 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jp 00007F6F2CCA62F2h 0x00000020 mov eax, dword ptr [eax] 0x00000022 jo 00007F6F2CCA62F8h 0x00000028 jmp 00007F6F2CCA62F2h 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 pushad 0x00000032 jno 00007F6F2CCA62F0h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F6F2CCA62F1h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9E9D second address: 11A9EDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 cld 0x00000009 lea ebx, dword ptr [ebp+12456C13h] 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007F6F2CD44EB8h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 mov dl, 4Fh 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F6F2CD44EBCh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9EDF second address: 11A9EF1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F2CCA62E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9EF1 second address: 11A9EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9F31 second address: 11A9F92 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a jng 00007F6F2CCA62ECh 0x00000010 pop eax 0x00000011 nop 0x00000012 mov edx, 7247E802h 0x00000017 jmp 00007F6F2CCA62F9h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F6F2CCA62E8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 cmc 0x00000039 push 8513D13Ch 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9F92 second address: 11A9F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A9F96 second address: 11AA002 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F2CCA62E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F6F2CCA62ECh 0x00000010 jno 00007F6F2CCA62E6h 0x00000016 popad 0x00000017 add dword ptr [esp], 7AEC2F44h 0x0000001e mov esi, 51B74394h 0x00000023 push 00000003h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F6F2CCA62E8h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f movsx esi, bx 0x00000042 mov edi, dword ptr [ebp+122D2B6Eh] 0x00000048 push 00000000h 0x0000004a adc dx, 2342h 0x0000004f push 00000003h 0x00000051 mov dword ptr [ebp+122D3274h], eax 0x00000057 push 9E9383EDh 0x0000005c push eax 0x0000005d push edx 0x0000005e push esi 0x0000005f pushad 0x00000060 popad 0x00000061 pop esi 0x00000062 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11AA002 second address: 11AA055 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F2CD44EB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 216C7C13h 0x00000013 lea ebx, dword ptr [ebp+12456C1Ch] 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F6F2CD44EB8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 xchg eax, ebx 0x00000034 jne 00007F6F2CD44EC4h 0x0000003a push eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11AA055 second address: 11AA059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11AA059 second address: 11AA06F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11AA206 second address: 11AA21B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11AA21B second address: 11AA27C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F2CD44EB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 26BB09A1h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F6F2CD44EB8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b lea ebx, dword ptr [ebp+12456C27h] 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007F6F2CD44EB8h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov si, C6CCh 0x0000004f push eax 0x00000050 push ecx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11AA27C second address: 11AA280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11AA280 second address: 11AA284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11BB7F7 second address: 11BB7FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11BB7FD second address: 11BB801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11CA460 second address: 11CA46D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11CA46D second address: 11CA473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C82C8 second address: 11C82D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 119806C second address: 1198070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8446 second address: 11C8462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62F7h 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8462 second address: 11C847B instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F2CD44EC3h 0x00000008 jmp 00007F6F2CD44EBBh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C847B second address: 11C847F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8A73 second address: 11C8A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8A7B second address: 11C8A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8A86 second address: 11C8A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8A8B second address: 11C8A95 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F6F2CCA62F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8A95 second address: 11C8A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8A9B second address: 11C8AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F6F2CCA62F2h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C8AB5 second address: 11C8ABB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C92CE second address: 11C92D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C92D3 second address: 11C92ED instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F2CD44EBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jc 00007F6F2CD44EB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C92ED second address: 11C92F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C943D second address: 11C9453 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC1h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C9453 second address: 11C945B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11BDCEB second address: 11BDCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6F2CD44EBAh 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11BDCFF second address: 11BDD36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 jne 00007F6F2CCA62E6h 0x0000000c jmp 00007F6F2CCA62F6h 0x00000011 pop ecx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F6F2CCA62EFh 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11BDD36 second address: 11BDD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EC9h 0x00000009 pop ebx 0x0000000a push esi 0x0000000b jmp 00007F6F2CD44EBEh 0x00000010 jmp 00007F6F2CD44EBBh 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6F2CD44EBDh 0x0000001d jnp 00007F6F2CD44EB6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C9590 second address: 11C9594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11C9B2D second address: 11C9B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6F2CD44EB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1194ADB second address: 1194AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F2CCA62F7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1194AF8 second address: 1194B02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F6F2CD44EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1194B02 second address: 1194B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1194B19 second address: 1194B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1194B1F second address: 1194B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D623B second address: 11D6241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D637C second address: 11D638C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D638C second address: 11D63A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D6665 second address: 11D6684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62F4h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D7418 second address: 11D741C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D74B4 second address: 11D74F1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F6F2CCA62F9h 0x00000008 jmp 00007F6F2CCA62F3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xor dword ptr [esp], 304D5261h 0x00000016 mov dword ptr [ebp+122D1B84h], esi 0x0000001c call 00007F6F2CCA62E9h 0x00000021 js 00007F6F2CCA62F0h 0x00000027 push eax 0x00000028 push edx 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D74F1 second address: 11D7507 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F6F2CD44EC4h 0x0000000d pushad 0x0000000e jg 00007F6F2CD44EB6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D7507 second address: 11D753E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push edx 0x0000000a jno 00007F6F2CCA62E8h 0x00000010 pop edx 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007F6F2CCA62EAh 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c pushad 0x0000001d pushad 0x0000001e jmp 00007F6F2CCA62F0h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D753E second address: 11D7547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D7679 second address: 11D767F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D767F second address: 11D7683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D7683 second address: 11D7691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D7691 second address: 11D7696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D795D second address: 11D7961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D80B8 second address: 11D80CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EC2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D80CF second address: 11D80E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F6F2CCA62E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f js 00007F6F2CCA62F8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D80E8 second address: 11D80EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D80EC second address: 11D80F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D83DD second address: 11D83E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D83E2 second address: 11D83E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D868A second address: 11D86DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F6F2CD44EB8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 add edi, 6F1E0652h 0x0000002b pushad 0x0000002c sub edi, 7FD48DA6h 0x00000032 jmp 00007F6F2CD44EBEh 0x00000037 popad 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D86DC second address: 11D86E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D979E second address: 11D97A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D95B7 second address: 11D95D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62F7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D97A2 second address: 11D97BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jmp 00007F6F2CD44EBCh 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11D95D3 second address: 11D95D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DA7A3 second address: 11DA818 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F6F2CD44EBFh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F6F2CD44EB8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 push eax 0x00000028 mov esi, dword ptr [ebp+122D2BD6h] 0x0000002e pop edi 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push esi 0x00000034 call 00007F6F2CD44EB8h 0x00000039 pop esi 0x0000003a mov dword ptr [esp+04h], esi 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc esi 0x00000047 push esi 0x00000048 ret 0x00000049 pop esi 0x0000004a ret 0x0000004b mov dword ptr [ebp+122D1B74h], edx 0x00000051 push 00000000h 0x00000053 mov dword ptr [ebp+12450FD5h], edi 0x00000059 xchg eax, ebx 0x0000005a pushad 0x0000005b jng 00007F6F2CD44EBCh 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DA083 second address: 11DA0A8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F2CCA62F3h 0x00000008 jmp 00007F6F2CCA62EDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push edx 0x00000012 jg 00007F6F2CCA62E6h 0x00000018 pop edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DA818 second address: 11DA841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EC0h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d ja 00007F6F2CD44EB6h 0x00000013 jp 00007F6F2CD44EB6h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DA841 second address: 11DA845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DBDE7 second address: 11DBE0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F6F2CD44EBCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DBE0B second address: 11DBE10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DBE10 second address: 11DBE84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+124799C3h], eax 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F6F2CD44EB8h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 0000001Dh 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D1D0Ah], esi 0x00000032 jmp 00007F6F2CD44EC0h 0x00000037 push 00000000h 0x00000039 xor di, 5203h 0x0000003e xchg eax, ebx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jc 00007F6F2CD44EB6h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DBE84 second address: 11DBE89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DBE89 second address: 11DBE9E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6F2CD44EBCh 0x00000008 jne 00007F6F2CD44EB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DBE9E second address: 11DBEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6F2CCA62E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F2CCA62ECh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DC968 second address: 11DC975 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DC68D second address: 11DC691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DC691 second address: 11DC6B8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F2CD44EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F6F2CD44EC1h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DDEC5 second address: 11DDF70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007F6F2CCA6302h 0x00000010 nop 0x00000011 pushad 0x00000012 jp 00007F6F2CCA62ECh 0x00000018 mov ecx, dword ptr [ebp+122D2BDEh] 0x0000001e ja 00007F6F2CCA62EBh 0x00000024 popad 0x00000025 push 00000000h 0x00000027 pushad 0x00000028 push ebx 0x00000029 cmc 0x0000002a pop esi 0x0000002b mov di, ax 0x0000002e popad 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F6F2CCA62E8h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b xor dword ptr [ebp+124513D6h], esi 0x00000051 pushad 0x00000052 add dword ptr [ebp+124799C3h], ecx 0x00000058 jc 00007F6F2CCA62F2h 0x0000005e jmp 00007F6F2CCA62ECh 0x00000063 popad 0x00000064 push eax 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DDF70 second address: 11DDF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E378D second address: 11E3792 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E3792 second address: 11E37FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jnc 00007F6F2CD44EB6h 0x00000012 popad 0x00000013 pop ebx 0x00000014 nop 0x00000015 adc ebx, 67A50C85h 0x0000001b push 00000000h 0x0000001d xor dword ptr [ebp+122D2D2Dh], eax 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F6F2CD44EB8h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f sub dword ptr [ebp+122D2C33h], ecx 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F6F2CD44EC6h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E2989 second address: 11E298F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E298F second address: 11E2993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E3955 second address: 11E3A09 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F6F2CCA62E6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f or dword ptr [ebp+122D1A42h], ebx 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F6F2CCA62E8h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d sub edi, 71818261h 0x00000043 mov eax, dword ptr [ebp+122D1579h] 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c call 00007F6F2CCA62E8h 0x00000051 pop eax 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 add dword ptr [esp+04h], 0000001Dh 0x0000005e inc eax 0x0000005f push eax 0x00000060 ret 0x00000061 pop eax 0x00000062 ret 0x00000063 jmp 00007F6F2CCA62F9h 0x00000068 push FFFFFFFFh 0x0000006a mov bl, ah 0x0000006c nop 0x0000006d pushad 0x0000006e jmp 00007F6F2CCA62F9h 0x00000073 push eax 0x00000074 push edx 0x00000075 jp 00007F6F2CCA62E6h 0x0000007b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E586D second address: 11E588D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CD44EC2h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E3A09 second address: 11E3A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E588D second address: 11E5894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E3A0D second address: 11E3A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jnl 00007F6F2CCA62E6h 0x00000012 popad 0x00000013 pushad 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E5B14 second address: 11E5B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E5B1B second address: 11E5B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E5B21 second address: 11E5B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E5B25 second address: 11E5B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F2CCA62F7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E6B15 second address: 11E6B2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E6B2A second address: 11E6B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E8B9D second address: 11E8BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11EA6E3 second address: 11EA6FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CCA62F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11EA6FB second address: 11EA6FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E99B5 second address: 11E99C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11EA6FF second address: 11EA71A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F6F2CD44EBCh 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E99C4 second address: 11E9A51 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F2CCA62E8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F6F2CCA62E8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D2124h], edi 0x0000002f sub dword ptr [ebp+12479538h], edx 0x00000035 push dword ptr fs:[00000000h] 0x0000003c push 00000000h 0x0000003e push edi 0x0000003f call 00007F6F2CCA62E8h 0x00000044 pop edi 0x00000045 mov dword ptr [esp+04h], edi 0x00000049 add dword ptr [esp+04h], 00000015h 0x00000051 inc edi 0x00000052 push edi 0x00000053 ret 0x00000054 pop edi 0x00000055 ret 0x00000056 mov ebx, esi 0x00000058 mov dword ptr fs:[00000000h], esp 0x0000005f sub dword ptr [ebp+122D301Bh], ebx 0x00000065 mov eax, dword ptr [ebp+122D06C5h] 0x0000006b push FFFFFFFFh 0x0000006d push esi 0x0000006e mov edi, dword ptr [ebp+122D212Bh] 0x00000074 pop edi 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 jc 00007F6F2CCA62E8h 0x0000007e push eax 0x0000007f pop eax 0x00000080 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11EB997 second address: 11EB9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a je 00007F6F2CD44EB6h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11EC9E5 second address: 11ECA44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D2C04h] 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov di, ax 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 add bl, FFFFFFA8h 0x00000024 mov eax, dword ptr [ebp+122D16EDh] 0x0000002a or dword ptr [ebp+12456010h], ebx 0x00000030 mov edi, 02CA6D1Ch 0x00000035 push FFFFFFFFh 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F6F2CCA62E8h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000014h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D1DFDh], edx 0x00000057 nop 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11ED97A second address: 11ED985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F6F2CD44EB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11ECA44 second address: 11ECA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11ED985 second address: 11ED9A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11F192E second address: 11F1934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11F1934 second address: 11F1992 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007F6F2CD44EB8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D28DEh] 0x0000002b push 00000000h 0x0000002d mov ebx, dword ptr [ebp+122D288Ah] 0x00000033 push 00000000h 0x00000035 sub dword ptr [ebp+122D2E39h], edx 0x0000003b xchg eax, esi 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F6F2CD44EC5h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11F1992 second address: 11F1996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11F601A second address: 11F601E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1192E93 second address: 1192EA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F6F2CCA62EEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11F820B second address: 11F8215 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F2CD44EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11F8215 second address: 11F821F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F2CCA62ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11FBDB7 second address: 11FBDBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1200F4B second address: 1200F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1200F51 second address: 1200F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1200F56 second address: 1200F5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1200F5D second address: 1200FA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jno 00007F6F2CD44EB8h 0x00000012 push ecx 0x00000013 jmp 00007F6F2CD44EC8h 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007F6F2CD44EBFh 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1200FA5 second address: 1200FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1201063 second address: 120106D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6F2CD44EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120106D second address: 1201074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1201135 second address: 120113B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120113B second address: 1201140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1201140 second address: 1201173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F6F2CD44EBBh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F6F2CD44EC5h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A0657 second address: 11A0674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F6F2CCA62EFh 0x0000000b jnp 00007F6F2CCA62E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A0674 second address: 11A0686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F6F2CD44EB6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A0686 second address: 11A0695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A0695 second address: 11A06A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F6F2CD44EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11A06A1 second address: 11A06A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12059A6 second address: 12059B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F6F2CD44EB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1205B40 second address: 1205B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F5h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1205B61 second address: 1205B67 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1205B67 second address: 1205B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1205B6C second address: 1205BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EC5h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d ja 00007F6F2CD44EB6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6F2CD44EC3h 0x0000001f jmp 00007F6F2CD44EC3h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1205D38 second address: 1205D5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1205D5C second address: 1205D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1205EDD second address: 1205EEA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1206028 second address: 1206047 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F2CD44EC9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1206047 second address: 1206053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F6F2CCA62E6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1206053 second address: 1206061 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F2CD44EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1206061 second address: 1206099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F6F2CCA62F2h 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007F6F2CCA62EAh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6F2CCA62F9h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12061ED second address: 1206233 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6F2CD44EC4h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6F2CD44EC3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1206233 second address: 1206237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120B64C second address: 120B656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6F2CD44EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120B656 second address: 120B65A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120B65A second address: 120B664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120B664 second address: 120B668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120BA4B second address: 120BA57 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F2CD44EB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120BA57 second address: 120BA6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CCA62EFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120BA6B second address: 120BA97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F6F2CD44EBCh 0x00000010 pop esi 0x00000011 pushad 0x00000012 jmp 00007F6F2CD44EC1h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120B204 second address: 120B208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120B208 second address: 120B20C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120BEDB second address: 120BF06 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F6F2CCA62E6h 0x0000000d jmp 00007F6F2CCA62F5h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 120C4C9 second address: 120C4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EBBh 0x00000009 jl 00007F6F2CD44EBEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1211D9B second address: 1211D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12108EB second address: 1210905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CD44EC4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1210905 second address: 1210909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1210909 second address: 1210917 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F6F2CD44EC2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1210F8C second address: 1210F9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007F6F2CCA62E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1210F9C second address: 1210FA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1210FA6 second address: 1210FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1210FAC second address: 1210FB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1211660 second address: 121166B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F6F2CCA62E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 121166B second address: 1211673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1211673 second address: 1211679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1211BC7 second address: 1211BE3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F2CD44EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F6F2CD44EBDh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1211BE3 second address: 1211BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62EEh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1211BF6 second address: 1211C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F6F2CD44EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1211C00 second address: 1211C04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1215603 second address: 1215611 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F2CD44EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1215611 second address: 1215622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CCA62EBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1215622 second address: 1215626 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1215626 second address: 121562C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0B63 second address: 11E0B68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0B68 second address: 11E0B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0CBD second address: 11E0D15 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F2CD44EBCh 0x00000008 jo 00007F6F2CD44EB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 add dword ptr [esp], 6D40B923h 0x00000017 jmp 00007F6F2CD44EC8h 0x0000001c call 00007F6F2CD44EB9h 0x00000021 pushad 0x00000022 jmp 00007F6F2CD44EC6h 0x00000027 pushad 0x00000028 jg 00007F6F2CD44EB6h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0D15 second address: 11E0D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0D24 second address: 11E0D58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jnl 00007F6F2CD44EB6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6F2CD44EC1h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0D58 second address: 11E0D88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c push edx 0x0000000d jmp 00007F6F2CCA62ECh 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0D88 second address: 11E0D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0D8D second address: 11E0D92 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E0ED3 second address: 11E0EE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E165D second address: 11E16CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b jmp 00007F6F2CCA62F3h 0x00000010 nop 0x00000011 mov dl, B2h 0x00000013 push 0000001Eh 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F6F2CCA62E8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f nop 0x00000030 pushad 0x00000031 push esi 0x00000032 pushad 0x00000033 popad 0x00000034 pop esi 0x00000035 jns 00007F6F2CCA62ECh 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jc 00007F6F2CCA62ECh 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E16CE second address: 11E16D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11E16D2 second address: 11E16EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CCA62F3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1215EA2 second address: 1215EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1199B29 second address: 1199B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1221059 second address: 122105F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122105F second address: 1221069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F6F2CCA62E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12214F6 second address: 12214FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12237F9 second address: 1223802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1223802 second address: 1223808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1223808 second address: 122380C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122380C second address: 122382E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F6F2CD44EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F6F2CD44EC1h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1227683 second address: 1227696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jnp 00007F6F2CCA62EEh 0x0000000b push esi 0x0000000c pop esi 0x0000000d jl 00007F6F2CCA62E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1227696 second address: 12276A3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F6F2CD44EB8h 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118C404 second address: 118C408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118C408 second address: 118C410 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118C410 second address: 118C415 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12270A0 second address: 12270B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EC1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12270B7 second address: 12270E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CCA62F2h 0x00000008 jns 00007F6F2CCA62E6h 0x0000000e jmp 00007F6F2CCA62EBh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007F6F2CCA62E6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122C17A second address: 122C17E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122C17E second address: 122C184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122C184 second address: 122C18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122B489 second address: 122B49B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F6F2CCA62E6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122B613 second address: 122B658 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6F2CD44EC8h 0x0000000e pushad 0x0000000f jmp 00007F6F2CD44EBAh 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122B8E4 second address: 122B90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F6F2CCA62F1h 0x0000000a pop edx 0x0000000b pushad 0x0000000c jo 00007F6F2CCA62E6h 0x00000012 ja 00007F6F2CCA62E6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122BCE9 second address: 122BCED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1230BA4 second address: 1230BC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122FD1B second address: 122FD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EC8h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F6F2CD44EB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122FD40 second address: 122FD5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122FFE6 second address: 122FFEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122FFEC second address: 122FFF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 122FFF2 second address: 122FFF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 123035C second address: 1230371 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F6F2CCA62EAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1230371 second address: 1230386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F6F2CD44EB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jc 00007F6F2CD44EBCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1230610 second address: 123065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6F2CCA62F9h 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jo 00007F6F2CCA62E6h 0x00000015 popad 0x00000016 popad 0x00000017 je 00007F6F2CCA6332h 0x0000001d push eax 0x0000001e jmp 00007F6F2CCA62F7h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1238413 second address: 1238473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CD44EBFh 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F6F2CD44EC9h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jg 00007F6F2CD44EBEh 0x0000001b push eax 0x0000001c jmp 00007F6F2CD44EC5h 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jnc 00007F6F2CD44EB6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1188F5A second address: 1188F7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jmp 00007F6F2CCA62F0h 0x0000000d je 00007F6F2CCA62EEh 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 123657E second address: 1236582 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236582 second address: 1236588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236588 second address: 1236591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236591 second address: 123659F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 123659F second address: 12365BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12365BA second address: 12365BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236771 second address: 1236782 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F6F2CD44EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236782 second address: 12367B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F6F2CCA62F2h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6F2CCA62F2h 0x00000014 pushad 0x00000015 push eax 0x00000016 pop eax 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12367B7 second address: 12367BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12367BC second address: 12367C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236C37 second address: 1236C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6F2CD44EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236C41 second address: 1236C4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jbe 00007F6F2CCA62E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236C4D second address: 1236C8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EC1h 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jbe 00007F6F2CD44EB8h 0x00000014 push esi 0x00000015 jnl 00007F6F2CD44EB6h 0x0000001b pop esi 0x0000001c push eax 0x0000001d jmp 00007F6F2CD44EC1h 0x00000022 pop eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236C8D second address: 1236C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236E59 second address: 1236E5F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236E5F second address: 1236E82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F2CCA62EDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236E82 second address: 1236E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1236E86 second address: 1236EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6F2CCA62F9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 123724C second address: 1237254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1237254 second address: 1237278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F6F2CCA62E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F2CCA62F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1237BE2 second address: 1237BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1237BEE second address: 1237BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12382BB second address: 12382BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12382BF second address: 12382C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 123FA90 second address: 123FA96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118A945 second address: 118A949 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 124B489 second address: 124B48F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 124B48F second address: 124B4C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F6F2CCA62EAh 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 jmp 00007F6F2CCA62F6h 0x0000001a push eax 0x0000001b push edx 0x0000001c jg 00007F6F2CCA62E6h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12513FE second address: 1251403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1250FA4 second address: 1250FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6F2CCA62E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12510FB second address: 12510FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12510FF second address: 125113B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F2CCA62E6h 0x00000008 jmp 00007F6F2CCA62F7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F6F2CCA62EBh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6F2CCA62EEh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 125727F second address: 1257285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1257285 second address: 125728B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 125891E second address: 125892B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 125892B second address: 1258969 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F2CCA62E6h 0x00000008 jmp 00007F6F2CCA62F9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F6F2CCA62FBh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1261311 second address: 126131B instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F2CD44EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12611D2 second address: 12611D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1263760 second address: 126376C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jp 00007F6F2CD44EB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 126376C second address: 126378C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F2h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 126378C second address: 1263790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1263790 second address: 12637AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CCA62F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12637AC second address: 12637C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CD44EBFh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 126A2EF second address: 126A309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62F4h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 126A309 second address: 126A331 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push esi 0x0000000a jmp 00007F6F2CD44EC9h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1277E86 second address: 1277E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62F0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1279841 second address: 127984B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6F2CD44EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 128189C second address: 12818B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F2CCA62EBh 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12818B1 second address: 12818B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12818B5 second address: 12818BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12818BE second address: 12818EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CD44EBFh 0x00000009 jmp 00007F6F2CD44EC8h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12818EF second address: 128190B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CCA62F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 127D4B7 second address: 127D4BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 127D4BB second address: 127D4C5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F2CCA62E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 127D4C5 second address: 127D4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 127D4CB second address: 127D4F1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F6F2CCA6301h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 127D4F1 second address: 127D512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F6F2CD44EC9h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118F90D second address: 118F928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6F2CCA62EEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118F928 second address: 118F93A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CEFCAAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118F93A second address: 118F940 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118F940 second address: 118F961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F6F2CEFCAA6h 0x0000000a jmp 00007F6F2CEFCAB7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 118F961 second address: 118F972 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jno 00007F6F2CEFF536h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1291364 second address: 129137F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CEFCAB7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 129137F second address: 12913A4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F2CEFF536h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F2CEFF549h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12913A4 second address: 12913BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6F2CEFCAB1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12913BB second address: 12913C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12913C3 second address: 12913DA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F2CEFCAA6h 0x00000008 jmp 00007F6F2CEFCAAAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 1291089 second address: 129108F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 129108F second address: 1291093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA24C second address: 12BA268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFF542h 0x00000009 jng 00007F6F2CEFF536h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA65D second address: 12BA664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA664 second address: 12BA66C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA66C second address: 12BA670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA974 second address: 12BA97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA97A second address: 12BA97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA97E second address: 12BA992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6F2CEFF536h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jng 00007F6F2CEFF536h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA992 second address: 12BA9A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F6F2CEFCAACh 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA9A7 second address: 12BA9C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F6F2CEFF53Ah 0x0000000f push edx 0x00000010 pop edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F6F2CEFF53Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BA9C6 second address: 12BA9DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F6F2CEFCAA6h 0x0000000a jmp 00007F6F2CEFCAABh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BE1EB second address: 12BE251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6F2CEFF545h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jmp 00007F6F2CEFF542h 0x00000014 jmp 00007F6F2CEFF542h 0x00000019 popad 0x0000001a nop 0x0000001b sbb edx, 582FE5F3h 0x00000021 push dword ptr [ebp+122D1BDEh] 0x00000027 mov dword ptr [ebp+122D35BFh], edx 0x0000002d push 25E72B32h 0x00000032 pushad 0x00000033 pushad 0x00000034 jbe 00007F6F2CEFF536h 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12BF464 second address: 12BF47E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F2CEFCAACh 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12C11CD second address: 12C11D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12C11D3 second address: 12C11EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6F2CEFCAB3h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12C0D25 second address: 12C0D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12C0D2B second address: 12C0D31 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12C0D31 second address: 12C0D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F2CEFF542h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12C2DF1 second address: 12C2DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 12C2DF5 second address: 12C2DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C405D5 second address: 4C405DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C405DA second address: 4C40616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6F2CEFF53Dh 0x0000000a xor ax, A2C6h 0x0000000f jmp 00007F6F2CEFF541h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6F2CEFF53Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C40616 second address: 4C4061C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C4061C second address: 4C40620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C40620 second address: 4C40624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C40624 second address: 4C40644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F2CEFF545h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C40644 second address: 4C4064A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C4064A second address: 4C4064E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C4064E second address: 4C40688 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 movsx edi, ax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6F2CEFCAB2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C40688 second address: 4C4068C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C4068C second address: 4C40692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C40692 second address: 4C40698 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10060 second address: 4C10066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10066 second address: 4C100A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF543h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov eax, 6B4AF84Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F6F2CEFF53Eh 0x0000001a add ah, 00000058h 0x0000001d jmp 00007F6F2CEFF53Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C100A6 second address: 4C100D1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 1A414A0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c jmp 00007F6F2CEFCAB2h 0x00000011 pop ebp 0x00000012 pushad 0x00000013 mov ax, 15CDh 0x00000017 push eax 0x00000018 push edx 0x00000019 mov esi, 2C8CFBEFh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C8036C second address: 4C80373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C80373 second address: 4C80379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C80379 second address: 4C803E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF53Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F6F2CEFF53Bh 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F6F2CEFF546h 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F6F2CEFF53Dh 0x00000021 pushfd 0x00000022 jmp 00007F6F2CEFF540h 0x00000027 and cl, FFFFFFF8h 0x0000002a jmp 00007F6F2CEFF53Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00BD7 second address: 4C00C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F2CEFCAAFh 0x00000008 pop ecx 0x00000009 mov bx, 784Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F6F2CEFCAB2h 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F6F2CEFCAB0h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F6F2CEFCAAAh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00C25 second address: 4C00C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00C29 second address: 4C00C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00C2F second address: 4C00CAB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F2CEFF53Ch 0x00000008 pop ecx 0x00000009 mov edx, 42740536h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push dword ptr [ebp+04h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F6F2CEFF543h 0x0000001b xor ax, 4DBEh 0x00000020 jmp 00007F6F2CEFF549h 0x00000025 popfd 0x00000026 jmp 00007F6F2CEFF540h 0x0000002b popad 0x0000002c push dword ptr [ebp+0Ch] 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F6F2CEFF547h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00CAB second address: 4C00CFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F2CEFCAAFh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F6F2CEFCAB9h 0x0000000f adc ecx, 57966AB6h 0x00000015 jmp 00007F6F2CEFCAB1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00CFC second address: 4C00D0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF53Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00D41 second address: 4C00D5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00D5D second address: 4C00D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFF53Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C00D6F second address: 4C00D73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50CE2 second address: 4C50CE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50CE8 second address: 4C50CEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50CEC second address: 4C50CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50CFB second address: 4C50CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50CFF second address: 4C50D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50D03 second address: 4C50D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50D09 second address: 4C50D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50D0F second address: 4C50D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50D13 second address: 4C50D2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov di, ax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50D2E second address: 4C50D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50D35 second address: 4C50D3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CA0357 second address: 4CA0381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, dx 0x00000007 popad 0x00000008 movsx ebx, ax 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6F2CEFCAB8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CA0381 second address: 4CA0390 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF53Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CA0390 second address: 4CA03C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3FE6EF0Ah 0x00000008 movsx ebx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F6F2CEFCAAFh 0x00000018 jmp 00007F6F2CEFCAB3h 0x0000001d popfd 0x0000001e mov ah, D1h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CA03C9 second address: 4CA03CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C9004C second address: 4C90052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C105FB second address: 4C10608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10608 second address: 4C1060C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C1060C second address: 4C10612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10612 second address: 4C10626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, al 0x00000005 mov edx, 421B6A08h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10626 second address: 4C1062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C1062A second address: 4C1062E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C1062E second address: 4C10634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10634 second address: 4C10671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F2CEFCAB0h 0x00000008 pop eax 0x00000009 mov dh, 3Dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F6F2CEFCAAAh 0x00000014 mov ebp, esp 0x00000016 jmp 00007F6F2CEFCAB0h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10671 second address: 4C10675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10675 second address: 4C10679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10679 second address: 4C1067F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C8014F second address: 4C80155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C80155 second address: 4C80159 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C80159 second address: 4C80168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C80168 second address: 4C8016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C8016E second address: 4C801CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F6F2CEFCAB6h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 mov dx, ax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushfd 0x0000001c jmp 00007F6F2CEFCAB8h 0x00000021 sub eax, 326EA0B8h 0x00000027 jmp 00007F6F2CEFCAABh 0x0000002c popfd 0x0000002d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C80732 second address: 4C807BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF540h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov cx, 1611h 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F6F2CEFF53Ch 0x00000014 push eax 0x00000015 pushad 0x00000016 mov di, E814h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F6F2CEFF543h 0x00000021 sbb cl, FFFFFFAEh 0x00000024 jmp 00007F6F2CEFF549h 0x00000029 popfd 0x0000002a mov cx, D937h 0x0000002e popad 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 movsx ebx, cx 0x00000037 pushfd 0x00000038 jmp 00007F6F2CEFF540h 0x0000003d add ch, 00000058h 0x00000040 jmp 00007F6F2CEFF53Bh 0x00000045 popfd 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C807BE second address: 4C807C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C807C4 second address: 4C807C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C807C8 second address: 4C807E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov di, 5F64h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C807E2 second address: 4C80813 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6F2CEFF53Dh 0x00000008 or al, FFFFFFA6h 0x0000000b jmp 00007F6F2CEFF541h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov eax, dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C80813 second address: 4C80817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C80817 second address: 4C8082A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF53Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C8082A second address: 4C80866 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CEFCAAFh 0x00000008 mov ecx, 1A905FAFh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 and dword ptr [eax], 00000000h 0x00000013 jmp 00007F6F2CEFCAB2h 0x00000018 and dword ptr [eax+04h], 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov eax, edx 0x00000021 movsx edx, si 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50BE6 second address: 4C50C0E instructions: 0x00000000 rdtsc 0x00000002 call 00007F6F2CEFF547h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov eax, ebx 0x00000013 mov ch, bl 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50C0E second address: 4C50C37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F2CEFCAADh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50C37 second address: 4C50C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C901E5 second address: 4C901E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C901E9 second address: 4C901EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C3081A second address: 4C3086A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F2CEFCAAEh 0x0000000f push eax 0x00000010 jmp 00007F6F2CEFCAABh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F6F2CEFCAB5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C3086A second address: 4C3089E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 4E5A58E2h 0x00000008 jmp 00007F6F2CEFF543h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6F2CEFF540h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C3089E second address: 4C308A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C308A2 second address: 4C308A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C308A8 second address: 4C308B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFCAADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C90DAE second address: 4C90DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C90DB2 second address: 4C90DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C90DB8 second address: 4C90E00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF544h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F2CEFF540h 0x0000000f push eax 0x00000010 jmp 00007F6F2CEFF53Bh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F6F2CEFF53Eh 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C90E00 second address: 4C90E7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 5E7077F4h 0x00000008 pushfd 0x00000009 jmp 00007F6F2CEFCAADh 0x0000000e xor cx, 81B6h 0x00000013 jmp 00007F6F2CEFCAB1h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e jmp 00007F6F2CEFCAAEh 0x00000023 xchg eax, ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F6F2CEFCAADh 0x0000002d or eax, 5E436DC6h 0x00000033 jmp 00007F6F2CEFCAB1h 0x00000038 popfd 0x00000039 call 00007F6F2CEFCAB0h 0x0000003e pop esi 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C90E7C second address: 4C90E82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C90E82 second address: 4C90E86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50008 second address: 4C5000E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C5000E second address: 4C50076 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov si, bx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ebx, 1E11FAD8h 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 mov ebx, 0B694CF0h 0x0000001c movsx edx, ax 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 mov ax, FADDh 0x00000027 jmp 00007F6F2CEFCAAAh 0x0000002c popad 0x0000002d and esp, FFFFFFF8h 0x00000030 jmp 00007F6F2CEFCAB0h 0x00000035 xchg eax, ecx 0x00000036 jmp 00007F6F2CEFCAB0h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F6F2CEFCAADh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50076 second address: 4C5007A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C5007A second address: 4C50080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50080 second address: 4C50086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50086 second address: 4C5008A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C5008A second address: 4C500BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F6F2CEFF542h 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 mov al, 5Dh 0x00000012 pushad 0x00000013 mov bh, BDh 0x00000015 mov di, ax 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6F2CEFF53Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C500BE second address: 4C500ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, 8FF6h 0x00000011 jmp 00007F6F2CEFCAB7h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C500ED second address: 4C5011C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF549h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F2CEFF53Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C5011C second address: 4C5014E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F2CEFCAB8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C5014E second address: 4C50154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50154 second address: 4C50172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, C413h 0x00000011 mov dx, ax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50172 second address: 4C50192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CEFF53Bh 0x00000008 mov eax, 3695F15Fh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, di 0x00000017 mov ch, dl 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50192 second address: 4C50198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50198 second address: 4C5019C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C5019C second address: 4C501A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C501A0 second address: 4C501B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C501B0 second address: 4C501B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C501B8 second address: 4C501FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF547h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F6F2CEFF546h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6F2CEFF53Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C501FC second address: 4C50200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50200 second address: 4C50206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50206 second address: 4C502FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d pushfd 0x0000000e jmp 00007F6F2CEFCAAAh 0x00000013 sub esi, 30259C18h 0x00000019 jmp 00007F6F2CEFCAABh 0x0000001e popfd 0x0000001f popad 0x00000020 test esi, esi 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F6F2CEFCAB4h 0x00000029 add ah, 00000078h 0x0000002c jmp 00007F6F2CEFCAABh 0x00000031 popfd 0x00000032 popad 0x00000033 je 00007F6F9F1DAE5Bh 0x00000039 pushad 0x0000003a pushad 0x0000003b pushad 0x0000003c popad 0x0000003d pushfd 0x0000003e jmp 00007F6F2CEFCAB7h 0x00000043 or esi, 34845AEEh 0x00000049 jmp 00007F6F2CEFCAB9h 0x0000004e popfd 0x0000004f popad 0x00000050 jmp 00007F6F2CEFCAB0h 0x00000055 popad 0x00000056 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005d jmp 00007F6F2CEFCAB0h 0x00000062 je 00007F6F9F1DAE06h 0x00000068 jmp 00007F6F2CEFCAB0h 0x0000006d mov edx, dword ptr [esi+44h] 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F6F2CEFCAB7h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C502FD second address: 4C50343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F2CEFF53Fh 0x00000008 pop eax 0x00000009 mov ebx, 7F48836Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F6F2CEFF53Ch 0x0000001d jmp 00007F6F2CEFF545h 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50343 second address: 4C50348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50348 second address: 4C5034E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C5034E second address: 4C50352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50352 second address: 4C50356 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50356 second address: 4C5036A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C5036A second address: 4C50378 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF53Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50378 second address: 4C503E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 24C4h 0x00000007 mov eax, ebx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F6F9F1DADAAh 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F6F2CEFCAB5h 0x00000019 or cl, FFFFFFB6h 0x0000001c jmp 00007F6F2CEFCAB1h 0x00000021 popfd 0x00000022 jmp 00007F6F2CEFCAB0h 0x00000027 popad 0x00000028 test byte ptr [esi+48h], 00000001h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F6F2CEFCAB7h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C703FB second address: 4C7040F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFF540h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C7040F second address: 4C70462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a call 00007F6F2CEFCAAAh 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 pushfd 0x00000013 jmp 00007F6F2CEFCAB1h 0x00000018 and cx, DA86h 0x0000001d jmp 00007F6F2CEFCAB1h 0x00000022 popfd 0x00000023 popad 0x00000024 mov dword ptr [esp], ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F6F2CEFCAADh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70462 second address: 4C70472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFF53Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70472 second address: 4C70499 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F2CEFCAB9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70499 second address: 4C704AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C704AE second address: 4C704EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f call 00007F6F2CEFCAB0h 0x00000014 mov ah, 8Ah 0x00000016 pop edi 0x00000017 mov ebx, eax 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F6F2CEFCAB5h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C704EB second address: 4C704F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C704F1 second address: 4C704F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C704F5 second address: 4C705C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6F2CEFF546h 0x0000000e xchg eax, ebx 0x0000000f jmp 00007F6F2CEFF540h 0x00000014 xchg eax, esi 0x00000015 pushad 0x00000016 call 00007F6F2CEFF53Eh 0x0000001b mov si, E381h 0x0000001f pop eax 0x00000020 jmp 00007F6F2CEFF547h 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007F6F2CEFF549h 0x0000002c xchg eax, esi 0x0000002d pushad 0x0000002e mov esi, 096D9FD3h 0x00000033 call 00007F6F2CEFF548h 0x00000038 jmp 00007F6F2CEFF542h 0x0000003d pop esi 0x0000003e popad 0x0000003f mov esi, dword ptr [ebp+08h] 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F6F2CEFF53Ah 0x0000004b sub esi, 538CF5B8h 0x00000051 jmp 00007F6F2CEFF53Bh 0x00000056 popfd 0x00000057 movzx eax, di 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C705C6 second address: 4C70624 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007F6F2CEFCAB1h 0x00000010 test esi, esi 0x00000012 pushad 0x00000013 mov di, cx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007F6F2CEFCAB6h 0x0000001e jmp 00007F6F2CEFCAB5h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70624 second address: 4C70689 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF540h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a je 00007F6F9F1B528Bh 0x00000010 jmp 00007F6F2CEFF540h 0x00000015 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001c jmp 00007F6F2CEFF540h 0x00000021 mov ecx, esi 0x00000023 pushad 0x00000024 mov dl, ah 0x00000026 popad 0x00000027 je 00007F6F9F1B526Dh 0x0000002d pushad 0x0000002e mov esi, 218B45F1h 0x00000033 push eax 0x00000034 pushad 0x00000035 popad 0x00000036 pop edx 0x00000037 popad 0x00000038 test byte ptr [76FB6968h], 00000002h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70689 second address: 4C70690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70690 second address: 4C706D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 push ebx 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F6F9F1B5251h 0x00000011 pushad 0x00000012 jmp 00007F6F2CEFF53Dh 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F6F2CEFF53Eh 0x0000001e add ch, 00000058h 0x00000021 jmp 00007F6F2CEFF53Bh 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C706D0 second address: 4C706FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov edx, dword ptr [ebp+0Ch] 0x00000009 jmp 00007F6F2CEFCAB4h 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6F2CEFCAAAh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C706FC second address: 4C7070B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF53Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C7070B second address: 4C7076C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ax, bx 0x0000000e movsx edx, ax 0x00000011 popad 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ecx, ebx 0x00000018 pushfd 0x00000019 jmp 00007F6F2CEFCAB3h 0x0000001e xor esi, 1E5E853Eh 0x00000024 jmp 00007F6F2CEFCAB9h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C7076C second address: 4C70772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70772 second address: 4C70776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70776 second address: 4C7079C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F6F2CEFF544h 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C7079C second address: 4C707A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C707A0 second address: 4C707A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C707A6 second address: 4C707B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFCAABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70815 second address: 4C70891 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop esi 0x00000008 pushad 0x00000009 mov ah, dl 0x0000000b jmp 00007F6F2CEFF53Ch 0x00000010 popad 0x00000011 pop ebx 0x00000012 jmp 00007F6F2CEFF540h 0x00000017 mov esp, ebp 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F6F2CEFF53Eh 0x00000020 add si, F548h 0x00000025 jmp 00007F6F2CEFF53Bh 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007F6F2CEFF548h 0x00000031 xor ah, FFFFFFA8h 0x00000034 jmp 00007F6F2CEFF53Bh 0x00000039 popfd 0x0000003a popad 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C70891 second address: 4C70897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C6017B second address: 4C60185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 54CF3624h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1C24 second address: 4CC1C59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F2CEFCAACh 0x00000009 sub al, FFFFFFD8h 0x0000000c jmp 00007F6F2CEFCAABh 0x00000011 popfd 0x00000012 mov bl, ah 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F6F2CEFCAAEh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1C59 second address: 4CC1C6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFF53Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1C6B second address: 4CC1C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1C6F second address: 4CC1CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F6F2CEFF547h 0x0000000f push 0000007Fh 0x00000011 pushad 0x00000012 push esi 0x00000013 mov edx, 505DFD86h 0x00000018 pop edx 0x00000019 popad 0x0000001a push 00000001h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushfd 0x00000020 jmp 00007F6F2CEFF542h 0x00000025 sbb cx, 8028h 0x0000002a jmp 00007F6F2CEFF53Bh 0x0000002f popfd 0x00000030 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1CC4 second address: 4CC1D48 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F6F2CEFCAB8h 0x00000008 sbb esi, 0DC13288h 0x0000000e jmp 00007F6F2CEFCAABh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F6F2CEFCAB8h 0x0000001c sbb eax, 56E894E8h 0x00000022 jmp 00007F6F2CEFCAABh 0x00000027 popfd 0x00000028 popad 0x00000029 push dword ptr [ebp+08h] 0x0000002c pushad 0x0000002d mov esi, 243BDFFBh 0x00000032 push eax 0x00000033 push edx 0x00000034 pushfd 0x00000035 jmp 00007F6F2CEFCAAEh 0x0000003a xor ah, 00000048h 0x0000003d jmp 00007F6F2CEFCAABh 0x00000042 popfd 0x00000043 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1D5A second address: 4CC1D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1D5E second address: 4CC1D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1D64 second address: 4CC1D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFF545h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1D7D second address: 4CC1DA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F6F2CEFCAADh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4CC1DA4 second address: 4CC1C24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F2CEFF53Ah 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c retn 0004h 0x0000000f lea eax, dword ptr [ebp-10h] 0x00000012 push eax 0x00000013 call ebx 0x00000015 mov edi, edi 0x00000017 jmp 00007F6F2CEFF548h 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e mov dx, cx 0x00000021 jmp 00007F6F2CEFF53Ah 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b movzx ecx, di 0x0000002e call 00007F6F2CEFF549h 0x00000033 pop esi 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C102D4 second address: 4C102EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CEFCAB3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C102EC second address: 4C10343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F2CEFF53Fh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007F6F2CEFF549h 0x0000000f or ecx, 7924CD96h 0x00000015 jmp 00007F6F2CEFF541h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F6F2CEFF53Ch 0x00000026 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10343 second address: 4C10355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CEFCAAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10355 second address: 4C10359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10359 second address: 4C10368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10368 second address: 4C1036E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C1036E second address: 4C103BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 push edi 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F6F2CEFCAB0h 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F6F2CEFCAABh 0x0000001c or esi, 1C98F18Eh 0x00000022 jmp 00007F6F2CEFCAB9h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C103BC second address: 4C103FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007F6F2CEFF543h 0x0000000c add ch, FFFFFF9Eh 0x0000000f jmp 00007F6F2CEFF549h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C103FD second address: 4C10401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10401 second address: 4C10407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C10407 second address: 4C1045B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6F2CEFCAABh 0x0000000f xchg eax, ecx 0x00000010 pushad 0x00000011 jmp 00007F6F2CEFCAB4h 0x00000016 mov ah, 90h 0x00000018 popad 0x00000019 and dword ptr [ebp-04h], 00000000h 0x0000001d jmp 00007F6F2CEFCAADh 0x00000022 lea eax, dword ptr [ebp-04h] 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C1045B second address: 4C1045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C1045F second address: 4C1049C instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F2CEFCAB4h 0x0000000b popad 0x0000000c nop 0x0000000d jmp 00007F6F2CEFCAB0h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F6F2CEFCAAEh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0BDD second address: 4BF0C12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F2CEFF53Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6F2CEFF53Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0C12 second address: 4BF0C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 5B866966h 0x00000012 pushfd 0x00000013 jmp 00007F6F2CEFCAB7h 0x00000018 or eax, 0767F3EEh 0x0000001e jmp 00007F6F2CEFCAB9h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0C63 second address: 4BF0C80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFF541h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0C80 second address: 4BF0C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0C86 second address: 4BF0C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0C8C second address: 4BF0C90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0C90 second address: 4BF0CAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F2CEFF53Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0CAA second address: 4BF0CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4BF0CB0 second address: 4BF0CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DA31D second address: 11DA321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 11DA321 second address: 11DA327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50E24 second address: 4C50E47 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 352C064Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F6F2CEFCAB2h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50E47 second address: 4C50E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 3409h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe RDTSC instruction interceptor: First address: 4C50E50 second address: 4C50E95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CEFCAAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F2CEFCAB6h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F6F2CEFCAB7h 0x00000018 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Special instruction interceptor: First address: 1026975 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Special instruction interceptor: First address: 11E0793 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Special instruction interceptor: First address: 1241F93 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: EC6975 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1080793 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 10E1F93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1006975 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 11C0793 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1221F93 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_04BE0645 rdtsc 0_2_04BE0645
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4564 Thread sleep count: 103 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F533B0 FindFirstFileA,FindNextFileA, 0_2_00F533B0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F73B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00F73B20
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EC1F8C FindFirstFileExW, 0_2_00EC1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DF33B0 FindFirstFileA,FindNextFileA, 5_2_00DF33B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00E13B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 5_2_00E13B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00D61F8C FindFirstFileExW, 5_2_00D61F8C
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F6D2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00F6D2B0
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_26de04c8d919827ad7c739526e9c9b66736d74_2d68038f_f0c4e445-146a-4765-8d64-007cf2e79cd3\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RY5YJaMEWE.exe_ff2c736c48ccb2a3339f60d7d435f1196e869cc4_ea0d20ec_73492806-5dcc-4638-baa6-02712be402eb\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWu
Source: RageMP131.exe, 00000008.00000002.1967086376.00000000016D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn!1,
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: RY5YJaMEWE.exe, 00000000.00000003.1635576105.000000000080F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}F21
Source: MPGPH131.exe, 00000006.00000002.1928633812.000000000191C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.qa,f.qa,g.qa,h.qa,i.qa,j.qa,k.qa,l.qa,m.qa,n.qa,o.qa,p.qa,q.qa,r.qa,s.qa,t.qa,u.qa,v.qa,w.qa,x.qa,y.qa,z.V}
Source: Amcache.hve.11.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp, RY5YJaMEWE.exe, 00000000.00000002.1964458853.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.1928633812.000000000188A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.1967086376.00000000016F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000013.00000002.2100259197.0000000001B11000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 00000013.00000003.1969991526.0000000001AF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.11.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 00000005.00000002.2003412221.000000000199F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}|D7
Source: MPGPH131.exe, 00000006.00000002.1928633812.000000000183A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.11.dr Binary or memory string: vmci.sys
Source: MPGPH131.exe, 00000006.00000003.1799219032.00000000081F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}+NSL0IkYSGUDS2G\
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1
Source: MPGPH131.exe, 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_826CA6BBCHAR
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: RY5YJaMEWE.exe, 00000000.00000003.1738255642.0000000007882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a\*AG
Source: Amcache.hve.11.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}s\user\AppData\Roaming$G
Source: RY5YJaMEWE.exe, RY5YJaMEWE.exe, 00000000.00000002.1967045734.00000000011B1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.1988462124.0000000001051000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.1928036018.0000000001051000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.1964986921.0000000001191000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000002.2099549936.0000000001191000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000005.00000002.2003412221.0000000001987000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: RageMP131.exe, 00000013.00000002.2100259197.0000000001A80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 00000006.00000002.1928633812.000000000189A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000013.00000003.1969991526.0000000001AEF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000005.00000002.2003412221.000000000192D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&JD7
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%
Source: MPGPH131.exe, 00000006.00000002.1928633812.000000000191C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _vmware
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000006.00000002.1928633812.000000000191C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \?\scsi_vmwaretual_dif219&0&3f563070-94f2-b8b}J65EtqTQ2ruTWZeEW0ke6pZu6LLcKCEPSL9PtJkfCzME
Source: Amcache.hve.11.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000005.00000003.1825851783.000000000820A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*Ce
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000006.00000003.1799219032.00000000081F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*
Source: Amcache.hve.11.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RY5YJaMEWE.exe, 00000000.00000003.1738255642.0000000007882000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowswwC
Source: MPGPH131.exe, 00000006.00000002.1964682941.0000000008180000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_826CA6BB
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RY5YJaMEWE.exe, 00000000.00000002.1967045734.00000000011B1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.1988462124.0000000001051000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.1928036018.0000000001051000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.1964986921.0000000001191000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000013.00000002.2099549936.0000000001191000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: MPGPH131.exe, 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*hu,b.
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_04BF0261 Start: 04BF067F End: 04BF02A4 0_2_04BF0261
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_056A0C8F Start: 056A0F88 End: 056A0C5E 5_2_056A0C8F
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_04BE0645 rdtsc 0_2_04BE0645
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F54130 mov eax, dword ptr fs:[00000030h] 0_2_00F54130
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F21A60 mov eax, dword ptr fs:[00000030h] 0_2_00F21A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DF4130 mov eax, dword ptr fs:[00000030h] 5_2_00DF4130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00DC1A60 mov eax, dword ptr fs:[00000030h] 5_2_00DC1A60
Source: RY5YJaMEWE.exe, RY5YJaMEWE.exe, 00000000.00000002.1967045734.00000000011B1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.1988462124.0000000001051000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.1928036018.0000000001051000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Program Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00EC360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00EC360D
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Code function: 0_2_00F6D2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00F6D2B0
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000006.00000003.1800568214.00000000081E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1964682941.0000000008180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RY5YJaMEWE.exe PID: 7572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5088, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ayJ4OMtTVlGKUrWcidqotQg.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\KF_fRlziJ7p5GphJKRn0mxX.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets A
Source: RY5YJaMEWE.exe, 00000000.00000002.1971808377.000000000786A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: RY5YJaMEWE.exe, 00000000.00000003.1737156213.0000000007882000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storagetq
Source: MPGPH131.exe, 00000005.00000003.1824586857.000000000820A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000005.00000003.1824586857.000000000820A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RY5YJaMEWE.exe, 00000000.00000002.1971808377.000000000786A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: RY5YJaMEWE.exe, 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: RY5YJaMEWE.exe, 00000000.00000002.1971808377.000000000786A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: RY5YJaMEWE.exe, 00000000.00000002.1971808377.000000000786A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: RY5YJaMEWE.exe, 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\RY5YJaMEWE.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.1928633812.00000000018D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2003412221.00000000019C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1964458853.000000000082A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RY5YJaMEWE.exe PID: 7572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7816, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000006.00000003.1800568214.00000000081E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1782829200.000000000781E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2006431706.0000000008180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1964682941.0000000008180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1971682167.000000000781E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RY5YJaMEWE.exe PID: 7572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5088, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ayJ4OMtTVlGKUrWcidqotQg.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\KF_fRlziJ7p5GphJKRn0mxX.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435299 Sample: RY5YJaMEWE.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 41 ipinfo.io 2->41 43 db-ip.com 2->43 51 Snort IDS alert for network traffic 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 5 other signatures 2->57 8 RY5YJaMEWE.exe 1 62 2->8         started        13 MPGPH131.exe 50 2->13         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 45 147.45.47.93, 49730, 49733, 49734 FREE-NET-ASFREEnetEU Russian Federation 8->45 47 ipinfo.io 34.117.186.192, 443, 49731, 49735 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->47 49 db-ip.com 172.67.75.166, 443, 49732, 49737 CLOUDFLARENETUS United States 8->49 33 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->33 dropped 35 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->35 dropped 37 C:\Users\user\...\ayJ4OMtTVlGKUrWcidqotQg.zip, Zip 8->37 dropped 59 Detected unpacking (changes PE section rights) 8->59 61 Tries to steal Mail credentials (via file / registry access) 8->61 63 Found many strings related to Crypto-Wallets (likely being stolen) 8->63 79 4 other signatures 8->79 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        65 Multi AV Scanner detection for dropped file 13->65 67 Machine Learning detection for dropped file 13->67 69 Tries to evade debugger and weak emulator (self modifying code) 13->69 25 WerFault.exe 13->25         started        71 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->71 73 Hides threads from debuggers 15->73 75 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->75 39 C:\Users\user\...\KF_fRlziJ7p5GphJKRn0mxX.zip, Zip 17->39 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 17->77 27 WerFault.exe 17->27         started        file6 signatures7 process8 process9 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
172.67.75.166
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 172.67.75.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/191.96.150.225 false
    		high
    https://db-ip.com/demo/home.php?s=191.96.150.225 false
      		high