Windows Analysis Report
4yFaZU8fhT.exe

Overview

General Information

Sample name: 4yFaZU8fhT.exe
renamed because original name is a hash value
Original sample name: 37471206e1fded92d8513a747f7dafa4.exe
Analysis ID: 1435304
MD5: 37471206e1fded92d8513a747f7dafa4
SHA1: 2a783b73a310d0a0600539e50abd77c03a5ff0d4
SHA256: df72563cd0126b9e0f040bbd454332e9dc7140b6aab7a277981475ec5052e98f
Tags: 32exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe68.0 Virustotal: Detection: 15% Perma Link
Source: http://193.233.132.56/cost/go.exe Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.56/cost/go.exe00.1 Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/cost/sok.exe Virustotal: Detection: 21% Perma Link
Source: http://193.233.132.56/cost/lenin.exe Virustotal: Detection: 21% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 47%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 54% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 54% Perma Link
Multi AV Scanner detection for submitted file
Source: 4yFaZU8fhT.exe ReversingLabs: Detection: 47%
Source: 4yFaZU8fhT.exe Virustotal: Detection: 51% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 4yFaZU8fhT.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DA3EB0 CryptUnprotectData,CryptUnprotectData, 0_2_00DA3EB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D63EB0 CryptUnprotectData,CryptUnprotectData, 10_2_00D63EB0
Uses 32bit PE files
Source: 4yFaZU8fhT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DA33B0 FindFirstFileA,FindNextFileA, 0_2_00DA33B0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DC3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00DC3B20
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D11F8C FindFirstFileExW, 0_2_00D11F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D633B0 FindFirstFileA,FindNextFileA, 10_2_00D633B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D83B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 10_2_00D83B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CD1F8C FindFirstFileExW, 10_2_00CD1F8C

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49739 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49748
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49748 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49750
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49750 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49758
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49758 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49759
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49759 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49759
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49758
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49750
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49748
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49739
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49739 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknown TCP traffic detected without corresponding DNS query: 20.114.59.183
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DA52A0 recv, 0_2_00DA52A0
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGL2BzrEGIjBXJ0kBWdrfk7lX7b32Pkj8zyy-ogwXNHSaOgwpNLYp9h0DCW090wxAGGW6cY1tJVYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-12; NID=513=BWqDymbqelyW6BVIcqz3UnaQBCfXzu5yCLIIur3YK_u-ho-Uj9aoZfL9JsXs8TEgSUgg8eESk31nCXsr8a3D7lhJUoZk9YyI0v1wzZt9pYM-j8eQP1txqZnzP8SYR_fZqqYpcVi-qJGvcvJj8SC6rzTlM2eoVZBlDTZrldCPhaA
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGL2BzrEGIjCk_ClrTmb3b7jxSkTuezkF8p0VhoyRfvj35Q1kYqg7vTJr3qrm_0zGF42jmB1yB00yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-12; NID=513=MJOl0YK4BkEOXLub6IZX8Ddpd9hYLHiVKseCTsh5_KRWAumWJWigSKW37TANz-vsk9TZJj5V8djTxxqkE43_u6z2Z2gG38fEzylYbVFNbulQY893sHyROZKMDpkGvDc6ANX4GfTBgsqTLEc4KYxN2sSkQBOqAAGWZDHpo-25GlQ
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=nyo8pOUCogf6Wxa&MD=cum8WutZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=nyo8pOUCogf6Wxa&MD=cum8WutZ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 0000000A.00000002.2646786601.0000000008070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe)a
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: RageMP131.exe, 0000000E.00000002.2518006348.0000000007664000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exennet
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exer.db
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2639796771.0000000001792000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2691093164.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2689613356.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2682983020.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2685759974.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2686762831.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683708228.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513863501.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2518006348.0000000007664000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2326703687.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: RageMP131.exe, 0000000D.00000002.2521392312.00000000012EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe00.1
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exeer
Source: MPGPH131.exe, 0000000B.00000003.2691093164.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2689613356.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2682983020.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2685759974.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2686762831.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683708228.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exeisepro_botGBp
Source: RageMP131.exe, 0000000E.00000002.2513863501.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2326703687.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exemadka.ex168.0G
Source: RageMP131.exe, 0000000E.00000002.2518006348.0000000007664000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exeshoin
Source: MPGPH131.exe, 0000000B.00000003.2683708228.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513863501.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2326703687.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: RageMP131.exe, 0000000D.00000002.2521392312.00000000012EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeka.exn
Source: RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe
Source: RageMP131.exe, 0000000D.00000002.2521392312.00000000012EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe2
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exeK
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exeY
Source: MPGPH131.exe, 0000000A.00000002.2646786601.0000000008070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exeataw?
Source: MPGPH131.exe, 0000000B.00000002.2878151031.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exedaUsm
Source: RageMP131.exe, 0000000E.00000002.2518006348.0000000007664000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exee
Source: MPGPH131.exe, 0000000B.00000003.2691093164.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2689613356.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2682983020.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2685759974.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2686762831.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683708228.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exeyB~
Source: 4yFaZU8fhT.exe, 00000000.00000002.2981785953.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.1643236852.0000000005120000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1733491796.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2632454083.0000000000CA1000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000002.2878913354.0000000000CA1000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000003.1767366537.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2518692760.0000000000201000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 0000000D.00000003.1826064436.0000000005010000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1906157385.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2511132514.0000000000201000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2392552200.000000000153E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2691093164.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2689613356.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2682983020.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2685759974.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2686762831.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683708228.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.00000000012EC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.00000000012A9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2247692273.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: MPGPH131.exe, 0000000B.00000003.2689613356.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683067992.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2251
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2257
Source: RageMP131.exe, 0000000E.00000003.2247692273.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513863501.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2326703687.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2258
Source: MPGPH131.exe, 0000000A.00000002.2639796771.0000000001774000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225im
Source: MPGPH131.exe, 0000000A.00000002.2639796771.0000000001792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/jx
Source: RageMP131.exe, 0000000E.00000003.2247692273.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513863501.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2326703687.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/x
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2689613356.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683067992.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: RageMP131.exe, 0000000E.00000002.2513150381.0000000000E4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.2250E
Source: MPGPH131.exe, 0000000A.00000002.2639796771.0000000001792000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.00000000012B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000000E.00000002.2513150381.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513863501.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2247692273.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2326703687.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513150381.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2639796771.0000000001787000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683067992.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2247692273.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513150381.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: 4yFaZU8fhT.exe, 00000000.00000002.2981785953.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.1643236852.0000000005120000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1733491796.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2632454083.0000000000CA1000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000002.2878913354.0000000000CA1000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000003.1767366537.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2518692760.0000000000201000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 0000000D.00000003.1826064436.0000000005010000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1906157385.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2511132514.0000000000201000.00000040.00000001.01000000.00000009.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/l
Source: RageMP131.exe, 0000000E.00000002.2513150381.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513150381.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225A
Source: MPGPH131.exe, 0000000A.00000002.2639796771.0000000001787000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683067992.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.00000000012B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: RageMP131.exe, 0000000E.00000002.2513150381.0000000000E4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225LD7o
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.00000000014E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225O
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 4yFaZU8fhT.exe, 00000000.00000003.2415913358.0000000007D13000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2395529615.00000000080CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683443592.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2332396847.0000000007A89000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2300263800.0000000007D3A000.00000004.00000020.00020000.00000000.sdmp, NSxP0F6v2L2hHistory.14.dr, IFJfPWAsKUHmHistory.0.dr, VoCnwx8I_OJxHistory.14.dr, GvnVAzKmjiOkHistory.10.dr, mgIzrOB2QqTEHistory.11.dr, BvrI6ZnwBbwBHistory.10.dr, UhDbJ696SXhZHistory.0.dr, QJfbXn3O77YcHistory.13.dr, kJYxohPTUHuDHistory.13.dr, SgGZtdXlPVQiHistory.11.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: NSxP0F6v2L2hHistory.14.dr, IFJfPWAsKUHmHistory.0.dr, VoCnwx8I_OJxHistory.14.dr, GvnVAzKmjiOkHistory.10.dr, mgIzrOB2QqTEHistory.11.dr, BvrI6ZnwBbwBHistory.10.dr, UhDbJ696SXhZHistory.0.dr, QJfbXn3O77YcHistory.13.dr, kJYxohPTUHuDHistory.13.dr, SgGZtdXlPVQiHistory.11.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 4yFaZU8fhT.exe, 00000000.00000003.2415913358.0000000007D13000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2395529615.00000000080CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683443592.0000000007A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2332396847.0000000007A89000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2300263800.0000000007D3A000.00000004.00000020.00020000.00000000.sdmp, NSxP0F6v2L2hHistory.14.dr, IFJfPWAsKUHmHistory.0.dr, VoCnwx8I_OJxHistory.14.dr, GvnVAzKmjiOkHistory.10.dr, mgIzrOB2QqTEHistory.11.dr, BvrI6ZnwBbwBHistory.10.dr, UhDbJ696SXhZHistory.0.dr, QJfbXn3O77YcHistory.13.dr, kJYxohPTUHuDHistory.13.dr, SgGZtdXlPVQiHistory.11.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: NSxP0F6v2L2hHistory.14.dr, IFJfPWAsKUHmHistory.0.dr, VoCnwx8I_OJxHistory.14.dr, GvnVAzKmjiOkHistory.10.dr, mgIzrOB2QqTEHistory.11.dr, BvrI6ZnwBbwBHistory.10.dr, UhDbJ696SXhZHistory.0.dr, QJfbXn3O77YcHistory.13.dr, kJYxohPTUHuDHistory.13.dr, SgGZtdXlPVQiHistory.11.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: 4yFaZU8fhT.exe, 00000000.00000002.2991328734.0000000007CB0000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000002.2983003305.000000000145E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2639796771.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2646786601.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000B38000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2697286303.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2885742027.0000000007A24000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.000000000122E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2527821959.0000000007CD8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513150381.0000000000E4C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2329793906.00000000076EE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2518257796.00000000076EF000.00000004.00000020.00020000.00000000.sdmp, Zl25MAjpYnUTIyBcq9pxH9f.zip.14.dr, It7WWM490pJiLWT9SBna9zQ.zip.0.dr, nYnjdG8klVHCmZpVavgqo18.zip.11.dr, oMBTImdRbSxje11wDKstOdo.zip.13.dr, mdNy7lj2nRknu8dCyONmCOJ.zip.10.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 0000000B.00000003.2697286303.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2885742027.0000000007A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTD
Source: RageMP131.exe, 0000000E.00000003.2329793906.00000000076EE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2518257796.00000000076EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTK
Source: MPGPH131.exe, 0000000A.00000002.2646786601.00000000080C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTe
Source: RageMP131.exe, 0000000D.00000002.2527821959.0000000007CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTi
Source: MPGPH131.exe, 0000000A.00000002.2646786601.00000000080C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTtO
Source: RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.10.dr, passwords.txt.0.dr, passwords.txt.11.dr, passwords.txt.14.dr, passwords.txt.13.dr String found in binary or memory: https://t.me/risepro_bot
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2392552200.000000000153E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot/
Source: MPGPH131.exe, 0000000B.00000003.2691093164.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2689613356.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2682983020.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2685759974.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2686762831.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683708228.0000000000C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot8B?
Source: RageMP131.exe, 0000000E.00000003.2247692273.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513863501.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2326703687.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot9
Source: RageMP131.exe, 0000000D.00000002.2521392312.00000000012EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot;
Source: RageMP131.exe, 0000000E.00000003.2247692273.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2513863501.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2326703687.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2325682834.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot7
Source: MPGPH131.exe, 0000000A.00000002.2639796771.0000000001792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlateroz
Source: RageMP131.exe, 0000000D.00000002.2521392312.00000000012EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: 4yFaZU8fhT.exe, 00000000.00000003.2416172024.0000000007DC9000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2418313041.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2793253991.0000000007D5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396596883.0000000008107000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394652256.00000000080DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2684871288.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2333733390.0000000007A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2301450900.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2334251486.000000000863E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.2299949912.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277452245.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2282819240.0000000007788000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301563432.000000000770B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2301473194.00000000076E7000.00000004.00000020.00020000.00000000.sdmp, 4l4BfbfnyXWKWeb Data.10.dr, 3brz3PBX0kUnWeb Data.11.dr, OI4yKAaZa3uHWeb Data.14.dr, x3VaRthbpdjkWeb Data.0.dr, teUiJVlbZ2ejWeb Data.0.dr, NTds6kgWrdAcWeb Data.10.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 4yFaZU8fhT.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2646786601.0000000008070000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.0000000001313000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2518006348.0000000007664000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 4yFaZU8fhT.exe, 00000000.00000003.2424306002.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2787130836.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2416294694.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2425530108.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2419104678.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2424734108.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2421025007.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000002.2991328734.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2791016599.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2398772361.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2393589145.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2397688007.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394236629.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2395903958.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2646786601.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396376877.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2393991828.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2399564452.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2395339200.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394797928.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2527821959.0000000007D32000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 0000000A.00000002.2646786601.0000000008070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/l
Source: RageMP131.exe, 0000000D.00000002.2521392312.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/n(O
Source: RageMP131.exe, 0000000D.00000002.2521392312.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/qN
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MPGPH131.exe, 0000000A.00000002.2646786601.0000000008070000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.0000000001313000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2518006348.0000000007664000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RageMP131.exe, 0000000D.00000002.2521392312.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/e
Source: 4yFaZU8fhT.exe, 00000000.00000003.2424306002.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2787130836.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2416294694.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2425530108.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2419104678.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2424734108.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2421025007.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000002.2991328734.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.2791016599.0000000007D0C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2398772361.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2393589145.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2397688007.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394236629.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2395903958.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2646786601.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2396376877.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2393991828.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2399564452.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2395339200.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394797928.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2527821959.0000000007D32000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2646786601.0000000008070000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: RageMP131.exe, 0000000D.00000002.2521392312.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxrO
Source: RageMP131.exe, 0000000E.00000002.2518006348.0000000007664000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ta
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49771 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: 4yFaZU8fhT.exe Static PE information: section name:
Source: 4yFaZU8fhT.exe Static PE information: section name: .idata
Source: 4yFaZU8fhT.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D86470 NtDuplicateObject,CreateThread,TerminateThread, 10_2_00D86470
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D86E20 RtlAllocateHeap,NtQuerySystemInformation,HeapFree,RtlFreeHeap,RtlAllocateHeap,NtQuerySystemInformation,HeapFree, 10_2_00D86E20
Detected potential crypto function
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DD8080 0_2_00DD8080
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D2001D 0_2_00D2001D
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D761D0 0_2_00D761D0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DBD2B0 0_2_00DBD2B0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DBC3E0 0_2_00DBC3E0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DBB7E0 0_2_00DBB7E0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D5F730 0_2_00D5F730
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00CEB8E0 0_2_00CEB8E0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00E1C8D0 0_2_00E1C8D0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DB49B0 0_2_00DB49B0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D78A80 0_2_00D78A80
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D71A60 0_2_00D71A60
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D7CBF0 0_2_00D7CBF0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D87D20 0_2_00D87D20
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D73ED0 0_2_00D73ED0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D7AEC0 0_2_00D7AEC0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D6DF60 0_2_00D6DF60
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00E120C0 0_2_00E120C0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00E240A0 0_2_00E240A0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D17190 0_2_00D17190
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00E23160 0_2_00E23160
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D62100 0_2_00D62100
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D81130 0_2_00D81130
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00E1F280 0_2_00E1F280
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D2035F 0_2_00D2035F
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DD0350 0_2_00DD0350
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D0F570 0_2_00D0F570
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D347AD 0_2_00D347AD
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D1C950 0_2_00D1C950
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D1A918 0_2_00D1A918
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00E24AE0 0_2_00E24AE0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00E25A40 0_2_00E25A40
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D2DA74 0_2_00D2DA74
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DC4B90 0_2_00DC4B90
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D38BA0 0_2_00D38BA0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D70BA0 0_2_00D70BA0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D81E40 0_2_00D81E40
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D38E20 0_2_00D38E20
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DCBFC0 0_2_00DCBFC0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DCCFC0 0_2_00DCCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D98080 10_2_00D98080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CE001D 10_2_00CE001D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D361D0 10_2_00D361D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D7D2B0 10_2_00D7D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D7C3E0 10_2_00D7C3E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D7B7E0 10_2_00D7B7E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D1F730 10_2_00D1F730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00DDC8D0 10_2_00DDC8D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CAB8E0 10_2_00CAB8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D749B0 10_2_00D749B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D38A80 10_2_00D38A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D31A60 10_2_00D31A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D3CBF0 10_2_00D3CBF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D84B90 10_2_00D84B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D47D20 10_2_00D47D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D33ED0 10_2_00D33ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D3AEC0 10_2_00D3AEC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D2DF60 10_2_00D2DF60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00DD20C0 10_2_00DD20C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00DE40A0 10_2_00DE40A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CD7190 10_2_00CD7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00DE3160 10_2_00DE3160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D22100 10_2_00D22100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D41130 10_2_00D41130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00DDF280 10_2_00DDF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D90350 10_2_00D90350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CE035F 10_2_00CE035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CCF570 10_2_00CCF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CF47AD 10_2_00CF47AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CDC950 10_2_00CDC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CDA918 10_2_00CDA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00DE4AE0 10_2_00DE4AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00DE5A40 10_2_00DE5A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CEDA74 10_2_00CEDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CF8BA0 10_2_00CF8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D30BA0 10_2_00D30BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D41E40 10_2_00D41E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CF8E20 10_2_00CF8E20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D8CFC0 10_2_00D8CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D8BFC0 10_2_00D8BFC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: String function: 00CFACE0 appears 86 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00CBACE0 appears 86 times
Sample file is different than original file name gathered from version info
Source: 4yFaZU8fhT.exe Binary or memory string: OriginalFilename vs 4yFaZU8fhT.exe
Source: 4yFaZU8fhT.exe, 00000000.00000003.1680405491.0000000007519000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 4yFaZU8fhT.exe
Source: 4yFaZU8fhT.exe, 00000000.00000002.2982734628.00000000012AF000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 4yFaZU8fhT.exe
Source: 4yFaZU8fhT.exe, 00000000.00000000.1634408893.00000000012AF000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 4yFaZU8fhT.exe
Source: 4yFaZU8fhT.exe, 00000000.00000002.2989056269.0000000005128000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 4yFaZU8fhT.exe
Source: 4yFaZU8fhT.exe, 00000000.00000002.2981978762.0000000000E6F000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 4yFaZU8fhT.exe
Source: 4yFaZU8fhT.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 4yFaZU8fhT.exe
Uses 32bit PE files
Source: 4yFaZU8fhT.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@33/106@10/7
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DBD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00DBD2B0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 4yFaZU8fhT.exe, 00000000.00000002.2981785953.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.1643236852.0000000005120000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1733491796.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2632454083.0000000000CA1000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000002.2878913354.0000000000CA1000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000003.1767366537.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2518692760.0000000000201000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 0000000D.00000003.1826064436.0000000005010000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1906157385.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2511132514.0000000000201000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 4yFaZU8fhT.exe, 00000000.00000002.2981785953.0000000000CE1000.00000040.00000001.01000000.00000003.sdmp, 4yFaZU8fhT.exe, 00000000.00000003.1643236852.0000000005120000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1733491796.00000000053B0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2632454083.0000000000CA1000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000002.2878913354.0000000000CA1000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000003.1767366537.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2518692760.0000000000201000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 0000000D.00000003.1826064436.0000000005010000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1906157385.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2511132514.0000000000201000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 4yFaZU8fhT.exe, 00000000.00000003.2414669326.0000000007D0D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2394560870.00000000080C7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2393991828.0000000008089000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2330894850.0000000007A6B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331561616.0000000007A67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331914766.0000000007A6B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2330990575.0000000007A78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2331980467.0000000007A7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277167839.00000000076E4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2277217897.0000000007695000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2286313956.00000000076E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 4yFaZU8fhT.exe ReversingLabs: Detection: 47%
Source: 4yFaZU8fhT.exe Virustotal: Detection: 51%
Source: 4yFaZU8fhT.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 4yFaZU8fhT.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File read: C:\Users\user\Desktop\4yFaZU8fhT.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4yFaZU8fhT.exe "C:\Users\user\Desktop\4yFaZU8fhT.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2004,i,2527806901982277693,8120944807826650794,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1992,i,3464842779414209099,10346250088946657850,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 --field-trial-handle=2004,i,2527806901982277693,8120944807826650794,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1992,i,3464842779414209099,10346250088946657850,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=2004,i,2527806901982277693,8120944807826650794,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 --field-trial-handle=2004,i,2527806901982277693,8120944807826650794,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 4yFaZU8fhT.exe Static file information: File size 2398208 > 1048576
Source: 4yFaZU8fhT.exe Static PE information: Raw size of jaihxoyy is bigger than: 0x100000 < 0x19a600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Unpacked PE file: 0.2.4yFaZU8fhT.exe.ce0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 10.2.MPGPH131.exe.ca0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 11.2.MPGPH131.exe.ca0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 13.2.RageMP131.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 14.2.RageMP131.exe.200000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jaihxoyy:EW;vypfwgmz:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x258eb0 should be: 0x250ed8
Source: 4yFaZU8fhT.exe Static PE information: real checksum: 0x258eb0 should be: 0x250ed8
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x258eb0 should be: 0x250ed8
PE file contains sections with non-standard names
Source: 4yFaZU8fhT.exe Static PE information: section name:
Source: 4yFaZU8fhT.exe Static PE information: section name: .idata
Source: 4yFaZU8fhT.exe Static PE information: section name:
Source: 4yFaZU8fhT.exe Static PE information: section name: jaihxoyy
Source: 4yFaZU8fhT.exe Static PE information: section name: vypfwgmz
Source: 4yFaZU8fhT.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: jaihxoyy
Source: RageMP131.exe.0.dr Static PE information: section name: vypfwgmz
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: jaihxoyy
Source: MPGPH131.exe.0.dr Static PE information: section name: vypfwgmz
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D13F49 push ecx; ret 0_2_00D13F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CD3F49 push ecx; ret 10_2_00CD3F5C
Source: 4yFaZU8fhT.exe Static PE information: section name: entropy: 7.9242873449988
Source: 4yFaZU8fhT.exe Static PE information: section name: jaihxoyy entropy: 7.911106229261562
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.9242873449988
Source: RageMP131.exe.0.dr Static PE information: section name: jaihxoyy entropy: 7.911106229261562
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.9242873449988
Source: MPGPH131.exe.0.dr Static PE information: section name: jaihxoyy entropy: 7.911106229261562
Drops PE files
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF0DAF second address: FF0DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF0DB3 second address: FF0DBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF0DBC second address: FF0DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF0DC2 second address: FF0DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 jo 00007FF3B88FFC46h 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007FF3B88FFC58h 0x00000018 jg 00007FF3B88FFC46h 0x0000001e push edi 0x0000001f pop edi 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FEBBF5 second address: FEBBF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF054F second address: FF056D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF3B88FFC4Fh 0x0000000a pop esi 0x0000000b jnl 00007FF3B88FFC54h 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF06B9 second address: FF06BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF06BD second address: FF06EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC4Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push edx 0x0000000d jmp 00007FF3B88FFC4Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jns 00007FF3B88FFC46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF2E59 second address: FF2EEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8722397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FF3B8722396h 0x00000013 mov eax, dword ptr [eax] 0x00000015 je 00007FF3B8722392h 0x0000001b jnp 00007FF3B872238Ch 0x00000021 jnp 00007FF3B8722386h 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b jnl 00007FF3B872239Ch 0x00000031 pop eax 0x00000032 mov esi, dword ptr [ebp+122D367Fh] 0x00000038 lea ebx, dword ptr [ebp+1244EC54h] 0x0000003e mov edx, dword ptr [ebp+122D368Fh] 0x00000044 xchg eax, ebx 0x00000045 jmp 00007FF3B872238Ah 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push ecx 0x0000004e ja 00007FF3B8722386h 0x00000054 pop ecx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF2EEC second address: FF2EF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF2FFD second address: FF3007 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF3B872238Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF3007 second address: FF304F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 6B8DA6A7h 0x0000000d mov dword ptr [ebp+122D21D6h], edx 0x00000013 push 00000003h 0x00000015 jo 00007FF3B88FFC4Bh 0x0000001b mov edi, 1565112Dh 0x00000020 push 00000000h 0x00000022 jmp 00007FF3B88FFC50h 0x00000027 push 00000003h 0x00000029 mov dword ptr [ebp+122D17E8h], esi 0x0000002f push 6544CD00h 0x00000034 pushad 0x00000035 js 00007FF3B88FFC4Ch 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF304F second address: FF3057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF3057 second address: FF3086 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3B88FFC46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 5ABB3300h 0x00000012 mov ecx, 354C5506h 0x00000017 lea ebx, dword ptr [ebp+1244EC5Dh] 0x0000001d jnp 00007FF3B88FFC4Ch 0x00000023 add dword ptr [ebp+122D1F48h], edx 0x00000029 push eax 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d push edi 0x0000002e pop edi 0x0000002f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF30D5 second address: FF30FE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3B872238Ch 0x00000008 je 00007FF3B8722386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov edx, 41269763h 0x00000018 push 00000000h 0x0000001a mov edx, 5AE07300h 0x0000001f push 6AD11F06h 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF30FE second address: FF3102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF3102 second address: FF311C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF3B8722392h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF311C second address: FF3120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF3120 second address: FF31B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 6AD11F86h 0x0000000e stc 0x0000000f mov esi, dword ptr [ebp+122D38BBh] 0x00000015 push 00000003h 0x00000017 mov edi, dword ptr [ebp+122D1B11h] 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebx 0x00000022 call 00007FF3B8722388h 0x00000027 pop ebx 0x00000028 mov dword ptr [esp+04h], ebx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc ebx 0x00000035 push ebx 0x00000036 ret 0x00000037 pop ebx 0x00000038 ret 0x00000039 jmp 00007FF3B8722395h 0x0000003e push 00000003h 0x00000040 jbe 00007FF3B872238Ah 0x00000046 mov cx, A400h 0x0000004a call 00007FF3B8722389h 0x0000004f jbe 00007FF3B8722396h 0x00000055 jmp 00007FF3B8722390h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FF3B8722396h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF31B6 second address: FF31C0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF3B88FFC46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF31C0 second address: FF31E0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3B872238Ch 0x00000008 jp 00007FF3B8722386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 ja 00007FF3B8722386h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF31E0 second address: FF321B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FF3B88FFC50h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push eax 0x00000016 pushad 0x00000017 popad 0x00000018 pop eax 0x00000019 pushad 0x0000001a jg 00007FF3B88FFC46h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF321B second address: FF3241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop eax 0x00000007 mov ecx, esi 0x00000009 lea ebx, dword ptr [ebp+1244EC68h] 0x0000000f mov si, dx 0x00000012 xchg eax, ebx 0x00000013 push ebx 0x00000014 jmp 00007FF3B872238Ch 0x00000019 pop ebx 0x0000001a push eax 0x0000001b pushad 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FF3241 second address: FF324E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FF3B88FFC46h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FE19A8 second address: FE19AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FE19AF second address: FE19BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007FF3B88FFC46h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1011F51 second address: 1011F75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF3B8722395h 0x00000008 jg 00007FF3B8722386h 0x0000000e pop edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1011F75 second address: 1011F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC53h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FF3B88FFC46h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1011F9B second address: 1011FC0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3B8722386h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF3B8722399h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012120 second address: 101212A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10123C6 second address: 10123CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012948 second address: 1012969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF3B88FFC46h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF3B88FFC54h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012969 second address: 101296D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012C5E second address: 1012C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC58h 0x00000007 jmp 00007FF3B88FFC58h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push edx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012C97 second address: 1012C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012DC5 second address: 1012DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012DC9 second address: 1012DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FF3B872238Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012DDD second address: 1012E09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF3B88FFC46h 0x00000009 jnc 00007FF3B88FFC46h 0x0000000f jl 00007FF3B88FFC46h 0x00000015 push eax 0x00000016 pop eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pushad 0x0000001b pushad 0x0000001c jmp 00007FF3B88FFC4Eh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012E09 second address: 1012E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF3B8722386h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1012FAC second address: 1012FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FE84BB second address: FE84D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF3B872238Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FF3B872238Ah 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FE84D9 second address: FE84F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B88FFC4Fh 0x00000009 jg 00007FF3B88FFC46h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FE84F2 second address: FE854E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8722395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnl 00007FF3B87223A5h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF3B8722397h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 100B20F second address: 100B217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1016E2C second address: 1016E36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FF3B8722386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10157C2 second address: 10157C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10157C8 second address: 10157CD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 101603F second address: 1016043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1016043 second address: 1016047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1016047 second address: 101607A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FF3B88FFC4Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FF3B88FFC5Dh 0x00000016 jmp 00007FF3B88FFC57h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1017055 second address: 101705A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 101705A second address: 1017061 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1019D18 second address: 1019D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B872238Ch 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1019D29 second address: 1019D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1019D31 second address: 1019D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1019D35 second address: 1019D39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1019D39 second address: 1019D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007FF3B8722386h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10223F3 second address: 10223F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10223F7 second address: 10223FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10223FD second address: 1022425 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF3B88FFC4Ch 0x00000008 jnc 00007FF3B88FFC46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF3B88FFC53h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1022425 second address: 1022429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1022429 second address: 102242F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102242F second address: 1022434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102251B second address: 1022533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B88FFC54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1022533 second address: 1022545 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3B8722386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1022545 second address: 1022556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC4Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1022556 second address: 102255C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102255C second address: 1022560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1022FFE second address: 1023004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1023004 second address: 102302C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF3B88FFC58h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102322D second address: 1023232 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1023331 second address: 102334E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC58h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102392F second address: 1023935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1023935 second address: 102393C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102404C second address: 1024064 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3B8722393h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102523C second address: 10252BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FF3B88FFC48h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jns 00007FF3B88FFC5Ah 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007FF3B88FFC48h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 jne 00007FF3B88FFC4Bh 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jne 00007FF3B88FFC4Ch 0x00000057 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10252BF second address: 10252D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8722390h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10252D3 second address: 10252D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1026D7F second address: 1026D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FF3B872238Ah 0x0000000c pushad 0x0000000d jg 00007FF3B8722386h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102740F second address: 1027430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1027430 second address: 1027434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1027434 second address: 102743A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10287D6 second address: 10287DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10287DC second address: 10287E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10287E2 second address: 1028865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8722392h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FF3B8722392h 0x00000012 pushad 0x00000013 jmp 00007FF3B872238Dh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007FF3B8722388h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 mov esi, dword ptr [ebp+122D1E7Eh] 0x0000003f mov edi, dword ptr [ebp+122D274Bh] 0x00000045 push 00000000h 0x00000047 xchg eax, ebx 0x00000048 jc 00007FF3B8722398h 0x0000004e push eax 0x0000004f push edx 0x00000050 jc 00007FF3B8722386h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1029331 second address: 10293D9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3B88FFC46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FF3B88FFC48h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 cld 0x00000027 push 00000000h 0x00000029 movsx edi, cx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FF3B88FFC48h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 mov esi, 4D2911BDh 0x0000004d jmp 00007FF3B88FFC56h 0x00000052 call 00007FF3B88FFC4Ah 0x00000057 jmp 00007FF3B88FFC53h 0x0000005c pop esi 0x0000005d xchg eax, ebx 0x0000005e js 00007FF3B88FFC71h 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FF3B88FFC50h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10293D9 second address: 1029411 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8722395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FF3B8722399h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1029411 second address: 1029415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1028584 second address: 10285AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8722398h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a ja 00007FF3B8722394h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10285AB second address: 10285AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102EC40 second address: 102EC4A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF3B8722386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102EC4A second address: 102EC54 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3B88FFC4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1030C28 second address: 1030C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102A66A second address: 102A66E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102CBAC second address: 102CBB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1030C2C second address: 1030CA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 jc 00007FF3B88FFC54h 0x0000000e pushad 0x0000000f mov dword ptr [ebp+124564B0h], eax 0x00000015 mov dword ptr [ebp+122D1B7Dh], ebx 0x0000001b popad 0x0000001c mov edi, dword ptr [ebp+122D38C3h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007FF3B88FFC48h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 00000015h 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e xor dword ptr [ebp+122D2238h], edx 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push eax 0x00000049 call 00007FF3B88FFC48h 0x0000004e pop eax 0x0000004f mov dword ptr [esp+04h], eax 0x00000053 add dword ptr [esp+04h], 00000019h 0x0000005b inc eax 0x0000005c push eax 0x0000005d ret 0x0000005e pop eax 0x0000005f ret 0x00000060 movsx edi, dx 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FF3B88FFC4Ch 0x0000006b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102DBE1 second address: 102DC67 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF3B872238Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dword ptr [ebp+122D2633h], eax 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov di, cx 0x0000001d pushad 0x0000001e mov ah, ch 0x00000020 jmp 00007FF3B8722392h 0x00000025 popad 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d or dword ptr [ebp+122D29F3h], edi 0x00000033 mov eax, dword ptr [ebp+122D087Dh] 0x00000039 mov ebx, dword ptr [ebp+124617B9h] 0x0000003f push FFFFFFFFh 0x00000041 mov dword ptr [ebp+122D31A4h], esi 0x00000047 mov dword ptr [ebp+122D1908h], ebx 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 jmp 00007FF3B872238Bh 0x00000056 jmp 00007FF3B8722396h 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102CBB1 second address: 102CBE5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3B88FFC59h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jo 00007FF3B88FFC60h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF3B88FFC4Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102FE7D second address: 102FE83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1031D2A second address: 1031D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B88FFC54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102FE83 second address: 102FE87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1031D42 second address: 1031D68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FF3B88FFC53h 0x00000011 jnl 00007FF3B88FFC46h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1030EDA second address: 1030EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1032E4D second address: 1032E66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FF3B88FFC46h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 jc 00007FF3B88FFC46h 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1032E66 second address: 1032E6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1032F10 second address: 1032F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1031FA4 second address: 1031FA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1031FA9 second address: 1031FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1031FAE second address: 1031FCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF3B872238Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1031FCA second address: 1031FCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1033F96 second address: 1033FA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B872238Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1033FA9 second address: 1033FC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1033FC6 second address: 1033FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1034122 second address: 1034127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1037127 second address: 103712D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 103712D second address: 1037141 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B88FFC50h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1037141 second address: 1037145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1037145 second address: 10371A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D392Bh] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FF3B88FFC48h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f add edi, 2E74DC4Fh 0x00000035 js 00007FF3B88FFC4Ch 0x0000003b mov dword ptr [ebp+122D220Ah], edi 0x00000041 xchg eax, esi 0x00000042 pushad 0x00000043 jnl 00007FF3B88FFC4Ch 0x00000049 push eax 0x0000004a push edx 0x0000004b jc 00007FF3B88FFC46h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1039180 second address: 1039185 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1039696 second address: 10396A4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF3B88FFC46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10396A4 second address: 10396A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1039748 second address: 1039752 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF3B88FFC46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 103B5CA second address: 103B5D4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF3B8722386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 103B5D4 second address: 103B5DE instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3B88FFC4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 103B5DE second address: 103B647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007FF3B8722388h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 pushad 0x00000022 mov dword ptr [ebp+122D18FFh], ecx 0x00000028 mov esi, dword ptr [ebp+122D296Fh] 0x0000002e popad 0x0000002f push 00000000h 0x00000031 jmp 00007FF3B872238Ah 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007FF3B8722388h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 push eax 0x00000053 push ebx 0x00000054 jng 00007FF3B872238Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10398D4 second address: 10398FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FF3B88FFC4Ch 0x00000013 je 00007FF3B88FFC46h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10398FC second address: 1039902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1039902 second address: 1039906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1039906 second address: 1039969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push dword ptr fs:[00000000h] 0x00000010 mov dword ptr [ebp+122D2210h], ecx 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d mov dword ptr [ebp+12470BE8h], edx 0x00000023 mov eax, dword ptr [ebp+122D09E1h] 0x00000029 movzx edi, si 0x0000002c jmp 00007FF3B872238Fh 0x00000031 push FFFFFFFFh 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007FF3B8722388h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 00000017h 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 pushad 0x00000052 popad 0x00000053 pop eax 0x00000054 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 103C642 second address: 103C6C2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3B88FFC46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FF3B88FFC48h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D1F39h], edi 0x0000002d push 00000000h 0x0000002f sub dword ptr [ebp+122D1876h], eax 0x00000035 push 00000000h 0x00000037 call 00007FF3B88FFC54h 0x0000003c mov ebx, dword ptr [ebp+122D36EFh] 0x00000042 pop edi 0x00000043 xor dword ptr [ebp+122D17C5h], eax 0x00000049 xchg eax, esi 0x0000004a jp 00007FF3B88FFC65h 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FF3B88FFC57h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10452E7 second address: 1045311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FF3B8722390h 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 pushad 0x00000015 jc 00007FF3B8722386h 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10454B2 second address: 10454EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF3B88FFC63h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jmp 00007FF3B88FFC4Bh 0x00000013 jg 00007FF3B88FFC46h 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104AE29 second address: 104AE32 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104AE32 second address: 104AE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC50h 0x00000009 jp 00007FF3B88FFC46h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FE4EEB second address: FE4F07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8722392h 0x00000007 jbe 00007FF3B872238Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104D586 second address: 104D58C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104D58C second address: 104D5E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007FF3B8722386h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007FF3B8722397h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007FF3B8722394h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FF3B8722392h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104D5E3 second address: 104D5FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104D6D0 second address: 104D6D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104D6D6 second address: 104D6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 jmp 00007FF3B88FFC4Ch 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edi 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jp 00007FF3B88FFC48h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104D6FD second address: 104D722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF3B8722398h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 104D722 second address: 104D736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC4Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FEA03B second address: FEA040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FEA040 second address: FEA048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FEA048 second address: FEA04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FEA04C second address: FEA052 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FEA052 second address: FEA05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1051B52 second address: 1051B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1051B58 second address: 1051B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FF3B8722388h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1051B65 second address: 1051B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1051B6B second address: 1051B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1051B71 second address: 1051B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1051B75 second address: 1051B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10544A2 second address: 10544E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF3B88FFC59h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop ecx 0x0000000b jmp 00007FF3B88FFC4Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jo 00007FF3B88FFC6Ah 0x00000018 pushad 0x00000019 push edx 0x0000001a pop edx 0x0000001b push edi 0x0000001c pop edi 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10544E1 second address: 10544E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10544E5 second address: 10544E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105873C second address: 105874B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF3B8722386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105874B second address: 1058757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF3B88FFC46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10588AE second address: 10588B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10588B4 second address: 10588B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10588B8 second address: 10588C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B872238Bh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1058A15 second address: 1058A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FF3B88FFC58h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pushad 0x00000012 jmp 00007FF3B88FFC50h 0x00000017 jmp 00007FF3B88FFC4Ah 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1058A57 second address: 1058A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1058A5D second address: 1058A66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105AE21 second address: 105AE27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105AE27 second address: 105AE2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FDE39C second address: FDE3A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF3B8722386h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FDE3A6 second address: FDE3B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FF3B88FFC46h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102073A second address: 1020767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3B8722390h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 lea eax, dword ptr [ebp+1247C4ACh] 0x00000016 mov ecx, dword ptr [ebp+122D38C3h] 0x0000001c nop 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1020767 second address: 100B20F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FF3B88FFC48h 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 jnp 00007FF3B88FFC46h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pop ebx 0x0000001a nop 0x0000001b jmp 00007FF3B88FFC51h 0x00000020 call dword ptr [ebp+122D1D49h] 0x00000026 jnp 00007FF3B88FFC73h 0x0000002c push edi 0x0000002d jmp 00007FF3B88FFC57h 0x00000032 pushad 0x00000033 popad 0x00000034 pop edi 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1020D7B second address: 1020DBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FF3B8722394h 0x0000000c jmp 00007FF3B872238Eh 0x00000011 popad 0x00000012 add dword ptr [esp], 2E09D5B1h 0x00000019 mov dword ptr [ebp+122D2633h], eax 0x0000001f push edx 0x00000020 sub dword ptr [ebp+12461FD2h], edx 0x00000026 pop edx 0x00000027 call 00007FF3B8722389h 0x0000002c jl 00007FF3B872238Eh 0x00000032 push ebx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1020DBD second address: 1020DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jo 00007FF3B88FFC54h 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FF3B88FFC46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1020DD1 second address: 1020DE5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jns 00007FF3B8722386h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1020DE5 second address: 1020E10 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FF3B88FFC52h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e jno 00007FF3B88FFC48h 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007FF3B88FFC46h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1020E10 second address: 1020E14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1020E14 second address: 1020E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FF3B88FFC46h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1020EFC second address: 1020F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF3B8722386h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10210C2 second address: 10210D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B88FFC50h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10210D6 second address: 10210F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B872238Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push ecx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10210F3 second address: 10210F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1021196 second address: 102119A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102119A second address: 10211B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 102175B second address: 1021761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1021761 second address: 10217A4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF3B88FFC46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007FF3B88FFC48h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov cx, 17B5h 0x0000002b push 0000001Eh 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 jp 00007FF3B88FFC46h 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1021B3F second address: 1021B43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1021B43 second address: 1021BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FF3B88FFC48h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov edi, 03E94A93h 0x00000029 lea eax, dword ptr [ebp+1247C4F0h] 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007FF3B88FFC48h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 0000001Ah 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 call 00007FF3B88FFC4Ah 0x0000004e sub dword ptr [ebp+122D1EDBh], esi 0x00000054 pop edx 0x00000055 pushad 0x00000056 mov al, DAh 0x00000058 popad 0x00000059 push eax 0x0000005a je 00007FF3B88FFC54h 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1021BBE second address: 1021C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF3B8722386h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ecx, 16D01F60h 0x00000013 lea eax, dword ptr [ebp+1247C4ACh] 0x00000019 call 00007FF3B8722395h 0x0000001e jmp 00007FF3B8722395h 0x00000023 pop edi 0x00000024 push eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push ecx 0x00000029 pop ecx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1021C08 second address: 1021C12 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1021C12 second address: 100BD26 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FF3B8722388h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 jmp 00007FF3B872238Dh 0x00000029 or dword ptr [ebp+122D2210h], edx 0x0000002f call dword ptr [ebp+122D1F18h] 0x00000035 jc 00007FF3B8722392h 0x0000003b je 00007FF3B872238Ch 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E3A1 second address: 105E3B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FF3B88FFC4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E666 second address: 105E678 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B872238Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E678 second address: 105E67D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E67D second address: 105E693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF3B8722386h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e js 00007FF3B872238Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E813 second address: 105E81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E81D second address: 105E823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E823 second address: 105E82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E82D second address: 105E864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FF3B8722386h 0x0000000a jmp 00007FF3B8722399h 0x0000000f popad 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jng 00007FF3B8722386h 0x00000019 pop edx 0x0000001a popad 0x0000001b push ebx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E864 second address: 105E86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E99F second address: 105E9C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF3B8722392h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jbe 00007FF3B8722386h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105E9C3 second address: 105E9CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105EB68 second address: 105EB70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105EB70 second address: 105EBB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF3B88FFC52h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF3B88FFC52h 0x00000012 jmp 00007FF3B88FFC54h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105ED38 second address: 105ED3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 105EEC0 second address: 105EED7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF3B88FFC4Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007FF3B88FFC50h 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106B6C0 second address: 106B6C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A178 second address: 106A17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A305 second address: 106A30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A30B second address: 106A30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A30F second address: 106A313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A313 second address: 106A319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A47D second address: 106A481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A5F2 second address: 106A610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF3B88FFC55h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A610 second address: 106A63E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8722391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF3B8722395h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A63E second address: 106A642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A7CC second address: 106A7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B8722395h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A93F second address: 106A966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF3B88FFC4Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF3B88FFC4Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A966 second address: 106A96A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A96A second address: 106A96E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106A96E second address: 106A974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106AD37 second address: 106AD48 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 je 00007FF3B88FFC46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106AF21 second address: 106AF34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B872238Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106B0DB second address: 106B0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106B0DF second address: 106B0EF instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF3B8722386h 0x00000008 js 00007FF3B8722386h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1069CC0 second address: 1069CD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B88FFC4Bh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1069CD1 second address: 1069CD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106E37A second address: 106E37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106E37E second address: 106E38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a jne 00007FF3B8722386h 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 106E38F second address: 106E395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1070854 second address: 107085F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1072EF7 second address: 1072EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1072EFD second address: 1072F10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jmp 00007FF3B872238Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: FD799E second address: FD79BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FF3B88FFC53h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1076037 second address: 1076066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF3B8722386h 0x0000000a jmp 00007FF3B872238Eh 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jc 00007FF3B8722386h 0x00000018 push edx 0x00000019 pop edx 0x0000001a popad 0x0000001b popad 0x0000001c js 00007FF3B87223C9h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1076066 second address: 1076070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF3B88FFC46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1076070 second address: 107607F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007FF3B8722386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107607F second address: 107609A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC55h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107609A second address: 10760A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1076328 second address: 1076341 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF3B88FFC53h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1076495 second address: 1076499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1076499 second address: 10764D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC59h 0x00000007 jmp 00007FF3B88FFC54h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007FF3B88FFC4Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10764D6 second address: 10764EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FF3B8722386h 0x00000009 jmp 00007FF3B872238Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10768AB second address: 10768AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1079379 second address: 1079393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B8722396h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1079393 second address: 1079397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10794C8 second address: 10794E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF3B8722396h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10794E7 second address: 10794FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 js 00007FF3B88FFC6Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FF3B88FFC46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10794FD second address: 1079501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107964F second address: 1079659 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF3B88FFC46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1079659 second address: 107967F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FF3B872238Ah 0x0000000f jmp 00007FF3B8722393h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107967F second address: 1079695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B88FFC52h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107991D second address: 1079951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B872238Dh 0x00000009 popad 0x0000000a pushad 0x0000000b jo 00007FF3B8722386h 0x00000011 jbe 00007FF3B8722386h 0x00000017 jmp 00007FF3B872238Fh 0x0000001c popad 0x0000001d pushad 0x0000001e push eax 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1079951 second address: 107996C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF3B88FFC46h 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FF3B88FFC4Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107E854 second address: 107E85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107E85A second address: 107E861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107E861 second address: 107E882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 jo 00007FF3B8722386h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF3B8722391h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107ECE5 second address: 107ED18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF3B88FFC4Ch 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FF3B88FFC58h 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107ED18 second address: 107ED21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107ED21 second address: 107ED30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107ED30 second address: 107ED36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 107F312 second address: 107F328 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3B88FFC4Fh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1086F02 second address: 1086F0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1086F0E second address: 1086F1E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF3B88FFC46h 0x00000008 jg 00007FF3B88FFC46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1086F1E second address: 1086F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8722395h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FF3B8722386h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108517C second address: 1085181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085478 second address: 108547C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10855F5 second address: 1085611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC58h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085611 second address: 1085615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085615 second address: 1085627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC4Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085627 second address: 108567E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007FF3B8722386h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push esi 0x00000012 jmp 00007FF3B8722399h 0x00000017 pop esi 0x00000018 pushad 0x00000019 je 00007FF3B8722386h 0x0000001f jg 00007FF3B8722386h 0x00000025 pushad 0x00000026 popad 0x00000027 jmp 00007FF3B8722393h 0x0000002c popad 0x0000002d jc 00007FF3B872238Ch 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108567E second address: 1085686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085686 second address: 108568A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085BFA second address: 1085C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085C00 second address: 1085C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085C04 second address: 1085C0E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF3B88FFC46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085EF7 second address: 1085F14 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF3B8722397h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1085F14 second address: 1085F4D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FF3B88FFC53h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FF3B88FFC4Bh 0x00000011 pushad 0x00000012 jmp 00007FF3B88FFC4Fh 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1086DA9 second address: 1086DAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108BB9F second address: 108BBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108BBA5 second address: 108BBA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108BBA9 second address: 108BBD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF3B88FFC55h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FF3B88FFC46h 0x00000013 jns 00007FF3B88FFC46h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108BA18 second address: 108BA39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jg 00007FF3B8722386h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007FF3B872238Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108BA39 second address: 108BA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108F44E second address: 108F452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108F5D1 second address: 108F5D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108F72D second address: 108F731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108F731 second address: 108F765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B88FFC56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF3B88FFC56h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108F765 second address: 108F769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108F769 second address: 108F773 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 108F773 second address: 108F789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B8722392h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 109EE39 second address: 109EE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007FF3B88FFC46h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jc 00007FF3B88FFC46h 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 109EE50 second address: 109EE6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jg 00007FF3B8722386h 0x0000000c popad 0x0000000d popad 0x0000000e push edi 0x0000000f jmp 00007FF3B872238Ah 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10A6F57 second address: 10A6F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF3B88FFC4Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10AF78A second address: 10AF78F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10AF78F second address: 10AF7A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF3B88FFC4Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10B3409 second address: 10B3414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FF3B8722386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10B3414 second address: 10B3435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF3B8B950B2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FF3B8B950A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10B69A1 second address: 10B69BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FF3B8E28BAFh 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10B69BF second address: 10B69CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3B8B950AAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10B69CE second address: 10B69D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10B6B2C second address: 10B6B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10D8DC5 second address: 10D8DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 je 00007FF3B8E28BA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10D8DD1 second address: 10D8DFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FF3B8B950ACh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF3B8B950B2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10D8DFB second address: 10D8E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF3B8E28BAAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10D8E0B second address: 10D8E1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10D8E1F second address: 10D8E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF3B8E28BA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10D8E29 second address: 10D8E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10DD03F second address: 10DD043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 10DD043 second address: 10DD047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 11057B3 second address: 11057C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007FF3B8E28BA6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1105C0B second address: 1105C25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8B950B0h 0x00000009 jne 00007FF3B8B950A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1105C25 second address: 1105C5E instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF3B8E28BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FF3B8E28BA8h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jc 00007FF3B8E28BFBh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF3B8E28BB7h 0x0000001f js 00007FF3B8E28BA6h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1105C5E second address: 1105C68 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF3B8B950A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1105C68 second address: 1105C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1105C72 second address: 1105C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1105F98 second address: 1105FA2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF3B8E28BA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1106140 second address: 110614A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF3B8B950A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110614A second address: 1106150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1106150 second address: 110615A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF3B8B950A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 1107C64 second address: 1107C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF3B8E28BB5h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110A59E second address: 110A5A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110A5A2 second address: 110A5A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110A864 second address: 110A86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110A86B second address: 110A882 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF3B8E28BACh 0x00000008 jg 00007FF3B8E28BA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110A882 second address: 110A888 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110A888 second address: 110A8D9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF3B8E28BACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b or dword ptr [ebp+124620B2h], esi 0x00000011 push 00000004h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FF3B8E28BA8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1B7Dh], eax 0x00000033 mov edx, dword ptr [ebp+122D214Eh] 0x00000039 push F1D78816h 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 push edx 0x00000042 pop edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110A8D9 second address: 110A8DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110AB08 second address: 110AB61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007FF3B8E28BB9h 0x0000000f jbe 00007FF3B8E28BACh 0x00000015 mov edx, dword ptr [ebp+122D270Ch] 0x0000001b pop edx 0x0000001c push dword ptr [ebp+122D29B5h] 0x00000022 mov edx, 59D7BDCFh 0x00000027 push EB20CE00h 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 pop eax 0x00000031 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110AB61 second address: 110AB6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110C389 second address: 110C3A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FF3B8E28BB4h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 110C3A3 second address: 110C3A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52302F9 second address: 52302FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52302FF second address: 5230316 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5230316 second address: 523031A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 523031A second address: 5230320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5230320 second address: 5230336 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8E28BB2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5230336 second address: 523034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF3B8B950AAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 523034B second address: 523035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8E28BAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 523035D second address: 5230387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF3B8B950B5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51B0B84 second address: 51B0B93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51B0B93 second address: 51B0BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8B950B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51B0CA9 second address: 51B0CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51B0CAF second address: 51B0CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200BCC second address: 5200C28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF3B8E28BB3h 0x00000013 or ah, FFFFFF9Eh 0x00000016 jmp 00007FF3B8E28BB9h 0x0000001b popfd 0x0000001c call 00007FF3B8E28BB0h 0x00000021 pop eax 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C28 second address: 5200C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8B950B7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C43 second address: 5200C47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C47 second address: 5200C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C56 second address: 5200C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C5A second address: 5200C6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C6B second address: 5200C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C71 second address: 5200C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C75 second address: 5200C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200C79 second address: 5200CC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov edx, 5A969B58h 0x0000000f pushfd 0x00000010 jmp 00007FF3B8B950B1h 0x00000015 or cx, B846h 0x0000001a jmp 00007FF3B8B950B1h 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FF3B8B950ADh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52504B7 second address: 52504BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52504BD second address: 52504DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8B950B9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C044E second address: 51C047A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 call 00007FF3B8E28BAAh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF3B8E28BB3h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C047A second address: 51C047E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C047E second address: 51C0484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C0484 second address: 51C04A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov eax, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF3B8B950ABh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C04A0 second address: 51C04A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C04A6 second address: 51C04AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5230098 second address: 523009E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 523009E second address: 52300A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52306C0 second address: 52306C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52306C6 second address: 52306CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52306CA second address: 5230707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF3B8E28BAFh 0x00000010 jmp 00007FF3B8E28BB3h 0x00000015 popfd 0x00000016 mov ch, 02h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c mov edi, 1740C564h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5230707 second address: 523070B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 523070B second address: 523070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 523070F second address: 523075C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [ebp+08h] 0x0000000a pushad 0x0000000b mov esi, edx 0x0000000d mov si, bx 0x00000010 popad 0x00000011 and dword ptr [eax], 00000000h 0x00000014 jmp 00007FF3B8B950B9h 0x00000019 and dword ptr [eax+04h], 00000000h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FF3B8B950B8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 523075C second address: 5230760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5230760 second address: 5230766 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5230766 second address: 523076C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 523076C second address: 5230770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200B0E second address: 5200B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 mov dl, al 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b jmp 00007FF3B8E28BABh 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov dh, 72h 0x00000017 jmp 00007FF3B8E28BACh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200B38 second address: 5200B5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FF3B8B950ABh 0x00000012 movzx ecx, dx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 524011E second address: 5240157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, bx 0x0000000e jmp 00007FF3B8E28BB9h 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov cx, 77C9h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240157 second address: 5240190 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FF3B8B950ACh 0x00000013 sbb esi, 3A1FF748h 0x00000019 jmp 00007FF3B8B950ABh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240190 second address: 52401AD instructions: 0x00000000 rdtsc 0x00000002 mov ax, BEBFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dx, si 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF3B8E28BADh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52401AD second address: 52401BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8B950ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51E07E2 second address: 51E080B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 009Ah 0x00000007 mov si, dx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF3B8E28BB9h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51E080B second address: 51E0853 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 18E3E852h 0x00000008 pushfd 0x00000009 jmp 00007FF3B8B950B3h 0x0000000e xor esi, 67ABC44Eh 0x00000014 jmp 00007FF3B8B950B9h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp], ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51E0853 second address: 51E0859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51E0859 second address: 51E085F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51E085F second address: 51E0881 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF3B8E28BAAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51E0881 second address: 51E0890 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51E0890 second address: 51E08BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov ecx, 30D2E6A3h 0x00000010 push eax 0x00000011 push edx 0x00000012 mov cx, D615h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51E08BA second address: 51E08BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240B8F second address: 5240B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240B93 second address: 5240BAE instructions: 0x00000000 rdtsc 0x00000002 movzx eax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF3B8B950AEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240BAE second address: 5240BBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240BBD second address: 5240C08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d call 00007FF3B8B950ACh 0x00000012 mov esi, 3DF978E1h 0x00000017 pop eax 0x00000018 movsx ebx, ax 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f mov dx, 2CB6h 0x00000023 popad 0x00000024 push ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a mov edx, 672E24A8h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240C08 second address: 5240C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c pushad 0x0000000d jmp 00007FF3B8E28BAEh 0x00000012 mov dl, cl 0x00000014 popad 0x00000015 mov eax, dword ptr [76FB65FCh] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF3B8E28BAFh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240C47 second address: 5240C4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240C4D second address: 5240C90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, si 0x00000006 pushfd 0x00000007 jmp 00007FF3B8E28BAEh 0x0000000c adc ecx, 6EF54C98h 0x00000012 jmp 00007FF3B8E28BABh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test eax, eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF3B8E28BB5h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240C90 second address: 5240CA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8B950ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240CA0 second address: 5240CE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FF42AB1B85Bh 0x00000011 jmp 00007FF3B8E28BB6h 0x00000016 mov ecx, eax 0x00000018 jmp 00007FF3B8E28BB0h 0x0000001d xor eax, dword ptr [ebp+08h] 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240CE8 second address: 5240CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240CEC second address: 5240CF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240CF2 second address: 5240CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240CF8 second address: 5240D56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 1Fh 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF3B8E28BB4h 0x00000015 add al, 00000078h 0x00000018 jmp 00007FF3B8E28BABh 0x0000001d popfd 0x0000001e mov bx, si 0x00000021 popad 0x00000022 ror eax, cl 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FF3B8E28BB1h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200031 second address: 5200040 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200040 second address: 5200046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200046 second address: 520004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 520004A second address: 520006D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ebx 0x0000000f pop esi 0x00000010 mov di, 4C88h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF3B8E28BAAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 520006D second address: 5200073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200073 second address: 5200077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200077 second address: 52000EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c movsx edi, cx 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 xchg eax, ecx 0x00000013 pushad 0x00000014 mov dh, ch 0x00000016 push edi 0x00000017 jmp 00007FF3B8B950B0h 0x0000001c pop esi 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 jmp 00007FF3B8B950AEh 0x00000025 jmp 00007FF3B8B950B2h 0x0000002a popad 0x0000002b xchg eax, ecx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007FF3B8B950ADh 0x00000035 add ax, F516h 0x0000003a jmp 00007FF3B8B950B1h 0x0000003f popfd 0x00000040 mov edx, esi 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52000EF second address: 52000F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52000F5 second address: 52000F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52000F9 second address: 52000FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52000FD second address: 5200132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FF3B8B950B0h 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF3B8B950B7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200132 second address: 5200183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007FF3B8E28BAEh 0x00000011 xchg eax, esi 0x00000012 jmp 00007FF3B8E28BB0h 0x00000017 push eax 0x00000018 jmp 00007FF3B8E28BABh 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200183 second address: 5200215 instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF3B8B950ACh 0x0000000b popad 0x0000000c mov esi, dword ptr [ebp+08h] 0x0000000f jmp 00007FF3B8B950B0h 0x00000014 xchg eax, edi 0x00000015 jmp 00007FF3B8B950B0h 0x0000001a push eax 0x0000001b pushad 0x0000001c mov bx, 8AC4h 0x00000020 mov bx, 8F30h 0x00000024 popad 0x00000025 xchg eax, edi 0x00000026 pushad 0x00000027 jmp 00007FF3B8B950B5h 0x0000002c push ecx 0x0000002d pushfd 0x0000002e jmp 00007FF3B8B950B7h 0x00000033 jmp 00007FF3B8B950B3h 0x00000038 popfd 0x00000039 pop eax 0x0000003a popad 0x0000003b test esi, esi 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 mov ebx, 2CA2DAC6h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200215 second address: 52002B0 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF3B8E28BB7h 0x00000008 xor esi, 3EAF494Eh 0x0000000e jmp 00007FF3B8E28BB9h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007FF3B8E28BB0h 0x0000001c add si, 3DC8h 0x00000021 jmp 00007FF3B8E28BABh 0x00000026 popfd 0x00000027 popad 0x00000028 je 00007FF42AB56F47h 0x0000002e jmp 00007FF3B8E28BB6h 0x00000033 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FF3B8E28BB7h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52002B0 second address: 5200305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 567Ah 0x00000007 pushfd 0x00000008 jmp 00007FF3B8B950ABh 0x0000000d xor al, 0000001Eh 0x00000010 jmp 00007FF3B8B950B9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 je 00007FF42A8C33EEh 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007FF3B8B950B3h 0x00000027 pop esi 0x00000028 mov di, 915Ch 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200305 second address: 520030B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 520030B second address: 520031F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, dx 0x00000011 push edi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 520031F second address: 5200369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF3B8E28BB8h 0x00000009 sub eax, 73864CD8h 0x0000000f jmp 00007FF3B8E28BABh 0x00000014 popfd 0x00000015 mov di, cx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b or edx, dword ptr [ebp+0Ch] 0x0000001e pushad 0x0000001f mov edi, eax 0x00000021 movzx eax, di 0x00000024 popad 0x00000025 test edx, 61000000h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200369 second address: 520036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 520036F second address: 5200375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200375 second address: 520041D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FF42A8C339Eh 0x00000011 jmp 00007FF3B8B950AEh 0x00000016 test byte ptr [esi+48h], 00000001h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FF3B8B950AEh 0x00000021 xor ax, BBF8h 0x00000026 jmp 00007FF3B8B950ABh 0x0000002b popfd 0x0000002c popad 0x0000002d jne 00007FF42A8C337Dh 0x00000033 pushad 0x00000034 jmp 00007FF3B8B950ABh 0x00000039 push ecx 0x0000003a pushfd 0x0000003b jmp 00007FF3B8B950AFh 0x00000040 sub si, 3C6Eh 0x00000045 jmp 00007FF3B8B950B9h 0x0000004a popfd 0x0000004b pop ecx 0x0000004c popad 0x0000004d test bl, 00000007h 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FF3B8B950AAh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 520041D second address: 5200423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200423 second address: 5200427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5200427 second address: 520042B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 522047C second address: 52204EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF3B8B950AFh 0x00000009 adc si, 9FDEh 0x0000000e jmp 00007FF3B8B950B9h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FF3B8B950ACh 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FF3B8B950AEh 0x00000025 sub eax, 082EB708h 0x0000002b jmp 00007FF3B8B950ABh 0x00000030 popfd 0x00000031 mov ecx, 48B9E97Fh 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52204EF second address: 52204F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52204F3 second address: 52204F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52204F7 second address: 52204FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52204FD second address: 5220533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF3B8B950B7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220533 second address: 5220539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220539 second address: 522053D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 522053D second address: 522054C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 522054C second address: 5220565 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220565 second address: 52205D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 pushfd 0x00000007 jmp 00007FF3B8E28BB3h 0x0000000c jmp 00007FF3B8E28BB3h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov dword ptr [esp], ebx 0x00000018 jmp 00007FF3B8E28BB6h 0x0000001d xchg eax, esi 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007FF3B8E28BADh 0x00000026 jmp 00007FF3B8E28BB0h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52205D1 second address: 52205F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF3B8B950B4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52205F7 second address: 5220646 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FF3B8E28BB6h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FF3B8E28BAEh 0x00000019 adc ecx, 6E882C68h 0x0000001f jmp 00007FF3B8E28BABh 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 mov al, 55h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220646 second address: 522066A instructions: 0x00000000 rdtsc 0x00000002 call 00007FF3B8B950ABh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebx, 00000000h 0x00000010 pushad 0x00000011 mov si, 9B61h 0x00000015 popad 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 522066A second address: 522066E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 522066E second address: 5220672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220672 second address: 5220678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220678 second address: 522069B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C010h 0x00000007 push edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FF42A89ADB0h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF3B8B950ADh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 522069B second address: 52206A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52206A1 second address: 52206D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FF3B8B950B0h 0x00000015 mov ecx, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52206D0 second address: 52206D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52206D4 second address: 52206DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52206DA second address: 52206E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52206E0 second address: 52206E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52206E4 second address: 5220717 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FF42AB2E851h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF3B8E28BB7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220717 second address: 5220775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 pushad 0x00000011 mov ax, F043h 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop edi 0x00000018 push ecx 0x00000019 pop ebx 0x0000001a popad 0x0000001b popad 0x0000001c jne 00007FF42A89AD15h 0x00000022 jmp 00007FF3B8B950ACh 0x00000027 mov edx, dword ptr [ebp+0Ch] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FF3B8B950B7h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220775 second address: 5220824 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push esi 0x0000000c pushfd 0x0000000d jmp 00007FF3B8E28BB3h 0x00000012 jmp 00007FF3B8E28BB3h 0x00000017 popfd 0x00000018 pop esi 0x00000019 movsx ebx, ax 0x0000001c popad 0x0000001d push eax 0x0000001e jmp 00007FF3B8E28BABh 0x00000023 xchg eax, ebx 0x00000024 jmp 00007FF3B8E28BB6h 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007FF3B8E28BAEh 0x00000031 jmp 00007FF3B8E28BB5h 0x00000036 popfd 0x00000037 mov bx, si 0x0000003a popad 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FF3B8E28BAFh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220824 second address: 5220828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220828 second address: 522082E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 522082E second address: 5220858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 126D9DE1h 0x00000008 call 00007FF3B8B950AEh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov ah, bl 0x00000015 mov ebx, esi 0x00000017 popad 0x00000018 push dword ptr [ebp+14h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5220858 second address: 522085C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 522085C second address: 5220862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52208B1 second address: 52208D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, di 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52208D8 second address: 52208DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 521000C second address: 5210099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF3B8E28BB4h 0x00000009 sub si, 0AD8h 0x0000000e jmp 00007FF3B8E28BABh 0x00000013 popfd 0x00000014 mov ax, 1D8Fh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FF3B8E28BB7h 0x00000025 or esi, 702A224Eh 0x0000002b jmp 00007FF3B8E28BB9h 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007FF3B8E28BB0h 0x00000037 xor ch, FFFFFFC8h 0x0000003a jmp 00007FF3B8E28BABh 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5210099 second address: 521009F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 521009F second address: 52100A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52100A3 second address: 52100B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bh, CDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52100B3 second address: 52100B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5271A45 second address: 5271A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, dh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5271A4C second address: 5271ACA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov bl, 24h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push esi 0x0000000e mov di, 337Ch 0x00000012 pop edi 0x00000013 jmp 00007FF3B8E28BB2h 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b mov ebx, 38138C44h 0x00000020 pushfd 0x00000021 jmp 00007FF3B8E28BADh 0x00000026 add esi, 2777DD86h 0x0000002c jmp 00007FF3B8E28BB1h 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 jmp 00007FF3B8E28BAEh 0x00000039 mov ebp, esp 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FF3B8E28BB7h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5271B4A second address: 5271B50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5271B50 second address: 5271A45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call ebx 0x00000012 mov edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C00E4 second address: 51C014D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF3B8B950AEh 0x0000000f push eax 0x00000010 jmp 00007FF3B8B950ABh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF3B8B950B6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e mov eax, 35B4DE5Dh 0x00000023 pushad 0x00000024 push ecx 0x00000025 pop edx 0x00000026 mov eax, 6D779D1Bh 0x0000002b popad 0x0000002c popad 0x0000002d xchg eax, ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FF3B8B950ADh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C014D second address: 51C01FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF3B8E28BB1h 0x0000000f xchg eax, ecx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF3B8E28BACh 0x00000017 xor esi, 532D7378h 0x0000001d jmp 00007FF3B8E28BABh 0x00000022 popfd 0x00000023 mov bl, ah 0x00000025 popad 0x00000026 and dword ptr [ebp-04h], 00000000h 0x0000002a jmp 00007FF3B8E28BABh 0x0000002f lea eax, dword ptr [ebp-04h] 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FF3B8E28BABh 0x0000003b sub ax, 2FEEh 0x00000040 jmp 00007FF3B8E28BB9h 0x00000045 popfd 0x00000046 pushfd 0x00000047 jmp 00007FF3B8E28BB0h 0x0000004c add esi, 61D53F68h 0x00000052 jmp 00007FF3B8E28BABh 0x00000057 popfd 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C01FC second address: 51C0214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8B950B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C0214 second address: 51C0218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C025E second address: 51C02FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF3B8B950AFh 0x00000009 sub si, 261Eh 0x0000000e jmp 00007FF3B8B950B9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF3B8B950B0h 0x0000001a or esi, 7DAA1C18h 0x00000020 jmp 00007FF3B8B950ABh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 test eax, eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e call 00007FF3B8B950ABh 0x00000033 pop ecx 0x00000034 pushfd 0x00000035 jmp 00007FF3B8B950B9h 0x0000003a add ecx, 0FB1B066h 0x00000040 jmp 00007FF3B8B950B1h 0x00000045 popfd 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C02FA second address: 51C030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8E28BACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51C030A second address: 51C030E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51A0C89 second address: 51A0C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51A0C8D second address: 51A0C93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51A0C93 second address: 51A0C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51A0C99 second address: 51A0C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 51A0C9D second address: 51A0CA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 525058C second address: 52505C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FF3B8B950B1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FF3B8B950ADh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52505C3 second address: 52505D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8E28BACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52301A6 second address: 52301AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52301AA second address: 52301C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5290338 second address: 5290347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8B950ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5290347 second address: 5290392 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 push edi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebp 0x0000000c jmp 00007FF3B8E28BAAh 0x00000011 mov dword ptr [esp], ebp 0x00000014 pushad 0x00000015 jmp 00007FF3B8E28BAEh 0x0000001a pushad 0x0000001b call 00007FF3B8E28BB7h 0x00000020 pop ecx 0x00000021 popad 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5290392 second address: 5290396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5290396 second address: 529039A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 529039A second address: 52903A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52903A0 second address: 52903FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF3B8E28BB4h 0x00000013 and si, 55D8h 0x00000018 jmp 00007FF3B8E28BABh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 call 00007FF3B8E28BB6h 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52903FA second address: 529040A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push dword ptr [ebp+08h] 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop esi 0x0000000d push ebx 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 529040A second address: 529041B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8E28BADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 529041B second address: 529042D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 08E3C846h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov edi, eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5290478 second address: 529047E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 529047E second address: 5290482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5290482 second address: 52904CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b pushad 0x0000000c mov dl, A6h 0x0000000e call 00007FF3B8E28BB6h 0x00000013 call 00007FF3B8E28BB2h 0x00000018 pop ecx 0x00000019 pop ebx 0x0000001a popad 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF3B8E28BADh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240572 second address: 524058C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF3B8B950B6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 524058C second address: 524059B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 524059B second address: 524059F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 524059F second address: 52405B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF3B8E28BB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 52405B7 second address: 524062F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF3B8B950B1h 0x00000008 mov dl, cl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FF3B8B950B4h 0x00000016 or ax, 30E8h 0x0000001b jmp 00007FF3B8B950ABh 0x00000020 popfd 0x00000021 popad 0x00000022 and esp, FFFFFFF0h 0x00000025 jmp 00007FF3B8B950B6h 0x0000002a sub esp, 44h 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FF3B8B950B7h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240775 second address: 5240779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe RDTSC instruction interceptor: First address: 5240779 second address: 524077F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Special instruction interceptor: First address: E779BF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Special instruction interceptor: First address: 10208A6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Special instruction interceptor: First address: 1095EA7 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: E379BF instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: FE08A6 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1055EA7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 3979BF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 5408A6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 5B5EA7 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_05190D9F rdtsc 0_2_05190D9F
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Window / User API: threadDelayed 2455 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Window / User API: threadDelayed 5502 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Window / User API: threadDelayed 796 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1673 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1711 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1730 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1728 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1718 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4438
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4408
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2220
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2219
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2198
Found decision node followed by non-executed suspicious APIs
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6684 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6684 Thread sleep time: -108054s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6660 Thread sleep count: 2455 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6660 Thread sleep time: -4912455s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6636 Thread sleep count: 5502 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6636 Thread sleep time: -11009502s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6540 Thread sleep count: 274 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 5284 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 5284 Thread sleep time: -108054s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6632 Thread sleep count: 125 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6632 Thread sleep time: -250125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6608 Thread sleep count: 87 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6608 Thread sleep time: -174087s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6636 Thread sleep count: 796 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe TID: 6636 Thread sleep time: -1592796s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7960 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7960 Thread sleep time: -110055s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7932 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7932 Thread sleep time: -94047s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6028 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6028 Thread sleep count: 282 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7936 Thread sleep count: 1673 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7936 Thread sleep time: -3347673s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7928 Thread sleep count: 1711 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7928 Thread sleep time: -3423711s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7948 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7948 Thread sleep time: -96048s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7920 Thread sleep count: 1730 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7920 Thread sleep time: -3461730s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7940 Thread sleep count: 1728 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7940 Thread sleep time: -3457728s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7816 Thread sleep count: 1718 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7816 Thread sleep time: -3437718s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8380 Thread sleep count: 68 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8380 Thread sleep time: -136068s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8388 Thread sleep count: 69 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8388 Thread sleep time: -138069s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8372 Thread sleep count: 4438 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8372 Thread sleep time: -8880438s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8340 Thread sleep count: 265 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8396 Thread sleep count: 69 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8396 Thread sleep time: -138069s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8376 Thread sleep count: 4408 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8376 Thread sleep time: -8820408s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8392 Thread sleep count: 72 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8392 Thread sleep time: -144072s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8708 Thread sleep count: 74 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8708 Thread sleep time: -148074s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8712 Thread sleep count: 69 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8712 Thread sleep time: -138069s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8624 Thread sleep count: 53 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8704 Thread sleep count: 62 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8704 Thread sleep time: -124062s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8624 Thread sleep count: 228 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8884 Thread sleep count: 81 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8688 Thread sleep count: 2220 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8688 Thread sleep time: -4442220s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8700 Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8700 Thread sleep time: -122061s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8684 Thread sleep count: 2219 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8684 Thread sleep time: -4440219s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8696 Thread sleep count: 2198 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8696 Thread sleep time: -4398198s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9016 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9016 Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9020 Thread sleep count: 36 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9020 Thread sleep time: -72036s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8992 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8916 Thread sleep count: 123 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9096 Thread sleep count: 129 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9096 Thread sleep count: 78 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8996 Thread sleep count: 37 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8996 Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9000 Thread sleep count: 35 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9000 Thread sleep time: -70035s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8916 Thread sleep count: 44 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DA33B0 FindFirstFileA,FindNextFileA, 0_2_00DA33B0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DC3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00DC3B20
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D11F8C FindFirstFileExW, 0_2_00D11F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D633B0 FindFirstFileA,FindNextFileA, 10_2_00D633B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D83B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 10_2_00D83B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00CD1F8C FindFirstFileExW, 10_2_00CD1F8C
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DBD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00DBD2B0
Source: 4yFaZU8fhT.exe, 4yFaZU8fhT.exe, 00000000.00000002.2982096322.0000000000FF8000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 0000000A.00000002.2633813227.0000000000FB8000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000002.2879205841.0000000000FB8000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000D.00000002.2519184136.0000000000518000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 0000000E.00000002.2511567695.0000000000518000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 0000000D.00000002.2527821959.0000000007CD8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}E
Source: RageMP131.exe, 0000000E.00000002.2518006348.0000000007664000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: http://147.45.47.102:57893/hera/amadka.exennet
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001450000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&p
Source: RageMP131.exe, 0000000D.00000002.2521392312.00000000012B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW|
Source: RageMP131.exe, 0000000E.00000002.2513150381.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000000A.00000002.2651889050.0000000008F46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}2G
Source: MPGPH131.exe, 0000000B.00000002.2878151031.0000000000B38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&i
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp, 4yFaZU8fhT.exe, 00000000.00000002.2983003305.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2639796771.0000000001792000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2689613356.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.2683067992.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.2878151031.0000000000B93000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2247692273.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.2247692273.0000000000EDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.00000000014CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4E64D0DF
Source: MPGPH131.exe, 0000000B.00000002.2885742027.0000000007A24000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows8p
Source: RageMP131.exe, 0000000D.00000003.1859488474.00000000012A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u
Source: RageMP131.exe, 0000000E.00000002.2513863501.0000000000F25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4E64D0DF
Source: 4yFaZU8fhT.exe, 00000000.00000002.2991328734.0000000007CB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.cz,a.io,b.io,c.io,d.io,e.io,f.io,g.io,h.io,i.io,j.io,k.io,l.io,m.io,n.io,o.io,p.io,q.io,r.io,s.io,t.io,u.
Source: RageMP131.exe, 0000000E.00000003.1928175242.0000000000EA5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000000A.00000002.2651490666.0000000008E6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6]
Source: MPGPH131.exe, 0000000B.00000002.2878151031.0000000000C1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4E64D0DFn
Source: RageMP131.exe, 0000000E.00000002.2513150381.0000000000E30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 0000000E.00000002.2513150381.0000000000EB3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}rome\Application\117.0.5938.132\Locales\en-US.pak,b.in,
Source: RageMP131.exe, 0000000E.00000002.2513863501.0000000000F25000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4E64D0DF*
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4E64D0DFe
Source: RageMP131.exe, 0000000D.00000002.2521392312.0000000001288000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Dm)
Source: MPGPH131.exe, 0000000A.00000002.2639796771.0000000001757000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}TKv
Source: RageMP131.exe, 0000000D.00000002.2528876996.00000000085F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\**
Source: MPGPH131.exe, 0000000A.00000002.2639796771.0000000001757000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2521392312.0000000001288000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: RageMP131.exe, 0000000E.00000002.2518006348.000000000768C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}eed_streak":0,"variations_last_fetch_time":"13340807297493152","variations_permanent_consistency_country":["117.0.2045.47","US"],"variations_seed_client_version_at_store":"92.0.902.67","variations_seed_date":"13340807297000000","variations_seed_signature":"","was":{"restarted":false},"web_widget":{"disabled_due_extensions":false}}
Source: RageMP131.exe, 0000000E.00000002.2513150381.0000000000EB3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}al\Temp\span5MxvrgAt2zgZ\3b6N2Xdh3CYwplaces.sqlitee
Source: 4yFaZU8fhT.exe, 00000000.00000003.2800648256.0000000007D36000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}S
Source: MPGPH131.exe, 0000000A.00000002.2646786601.00000000080C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000jJ+raY3fcAAAAADoAAAAACAAAgAAAAsg3hXdbXl6JIj8KFvhbWlaqVSpM3ag+0g0nExYB2Z1kwAAAAXs7yCB0jG0dlOoc3vEVs9i7od11B2WMH/KUhpHcou9G+td0MFm7TbYmBYp+W6oz0QAAAAKC50pMZjy5JuFdPJkfkvdz5M/WEaqLV4y0vGKstMEYyYGkCaVQJBxfIW1ld4AGaKWP+RKiQ
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.00000000014E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: 4yFaZU8fhT.exe, 00000000.00000002.2982096322.0000000000FF8000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000A.00000002.2633813227.0000000000FB8000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 0000000B.00000002.2879205841.0000000000FB8000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000D.00000002.2519184136.0000000000518000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 0000000E.00000002.2511567695.0000000000518000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 0000000A.00000002.2639796771.0000000001792000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_051D034C Start: 051D05F4 End: 051D03E6 0_2_051D034C
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_05190D9F rdtsc 0_2_05190D9F
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DA4130 mov eax, dword ptr fs:[00000030h] 0_2_00DA4130
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00D71A60 mov eax, dword ptr fs:[00000030h] 0_2_00D71A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D64130 mov eax, dword ptr fs:[00000030h] 10_2_00D64130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 10_2_00D31A60 mov eax, dword ptr fs:[00000030h] 10_2_00D31A60
Source: 4yFaZU8fhT.exe, 4yFaZU8fhT.exe, 00000000.00000002.2982096322.0000000000FF8000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Program Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DBD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00DBD2B0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Code function: 0_2_00DBD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetLocalTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00DBD2B0
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.2991328734.0000000007CB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2646786601.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2697286303.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2885742027.0000000007A24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2983003305.000000000145E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2329793906.00000000076EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2518257796.00000000076EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2527821959.0000000007CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4yFaZU8fhT.exe PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 8336, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8912, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\It7WWM490pJiLWT9SBna9zQ.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Zl25MAjpYnUTIyBcq9pxH9f.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nYnjdG8klVHCmZpVavgqo18.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\oMBTImdRbSxje11wDKstOdo.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\mdNy7lj2nRknu8dCyONmCOJ.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets;y
Source: MPGPH131.exe, 0000000A.00000002.2647787884.0000000008170000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ta\Roaming\ElectronCash\wallets
Source: 4yFaZU8fhT.exe, 00000000.00000003.2402881953.0000000007CD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty Extension
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: MPGPH131.exe, 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: 4yFaZU8fhT.exe, 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.walletsht
Source: MPGPH131.exe, 0000000A.00000002.2648633318.0000000008340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\4yFaZU8fhT.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2983003305.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2518637804.0000000007770000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2878151031.0000000000BC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4yFaZU8fhT.exe PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 8336, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8912, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.2991328734.0000000007CB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2646786601.00000000080C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2697286303.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2885742027.0000000007A24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2983003305.000000000145E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2329793906.00000000076EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2518257796.00000000076EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2527821959.0000000007CD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4yFaZU8fhT.exe PID: 6572, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 8336, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8620, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8912, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\It7WWM490pJiLWT9SBna9zQ.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Zl25MAjpYnUTIyBcq9pxH9f.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\nYnjdG8klVHCmZpVavgqo18.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\oMBTImdRbSxje11wDKstOdo.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\mdNy7lj2nRknu8dCyONmCOJ.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435304 Sample: 4yFaZU8fhT.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 48 www.google.com 2->48 50 ipinfo.io 2->50 52 db-ip.com 2->52 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for domain / URL 2->68 70 Antivirus detection for URL or domain 2->70 72 5 other signatures 2->72 8 4yFaZU8fhT.exe 6 62 2->8         started        13 MPGPH131.exe 5 53 2->13         started        15 RageMP131.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 58 147.45.47.93, 49739, 49748, 49750 FREE-NET-ASFREEnetEU Russian Federation 8->58 34 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->34 dropped 36 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->36 dropped 38 C:\Users\user\...\It7WWM490pJiLWT9SBna9zQ.zip, Zip 8->38 dropped 74 Detected unpacking (changes PE section rights) 8->74 76 Tries to steal Mail credentials (via file / registry access) 8->76 78 Found many strings related to Crypto-Wallets (likely being stolen) 8->78 96 3 other signatures 8->96 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        40 C:\Users\user\...\mdNy7lj2nRknu8dCyONmCOJ.zip, Zip 13->40 dropped 80 Multi AV Scanner detection for dropped file 13->80 82 Machine Learning detection for dropped file 13->82 84 Found stalling execution ending in API Sleep call 13->84 42 C:\Users\user\...\oMBTImdRbSxje11wDKstOdo.zip, Zip 15->42 dropped 86 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->86 88 Tries to evade debugger and weak emulator (self modifying code) 15->88 90 Hides threads from debuggers 15->90 60 192.168.2.4, 138, 443, 49723 unknown unknown 17->60 62 ipinfo.io 34.117.186.192, 443, 49760, 49762 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 17->62 64 2 other IPs or domains 17->64 44 C:\Users\user\...\nYnjdG8klVHCmZpVavgqo18.zip, Zip 17->44 dropped 46 C:\Users\user\...\Zl25MAjpYnUTIyBcq9pxH9f.zip, Zip 17->46 dropped 92 Tries to harvest and steal browser information (history, passwords, etc) 17->92 94 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->94 23 chrome.exe 17->23         started        26 chrome.exe 17->26         started        28 chrome.exe 17->28         started        file6 signatures7 process8 dnsIp9 30 conhost.exe 19->30         started        32 conhost.exe 21->32         started        54 www.google.com 142.251.40.100, 443, 49731, 49734 GOOGLEUS United States 23->54 56 142.251.40.132, 443, 49774 GOOGLEUS United States 26->56 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.251.40.132
 unknown United States
15169 GOOGLEUS false
142.251.40.100
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
www.google.com 142.251.40.100 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/191.96.150.225 false
    		high
    https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
      		high
      https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGL2BzrEGIjCk_ClrTmb3b7jxSkTuezkF8p0VhoyRfvj35Q1kYqg7vTJr3qrm_0zGF42jmB1yB00yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
        		high
        https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGL2BzrEGIjBXJ0kBWdrfk7lX7b32Pkj8zyy-ogwXNHSaOgwpNLYp9h0DCW090wxAGGW6cY1tJVYyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
          		high
          https://www.google.com/async/newtab_promos false
            		high
            https://db-ip.com/demo/home.php?s=191.96.150.225 false
              		high
              https://www.google.com/async/ddljson?async=ntp:2 false
                		high
                https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                  		high