Windows Analysis Report
hYrJbjnzVc.exe

Overview

General Information

Sample name: hYrJbjnzVc.exe
renamed because original name is a hash value
Original sample name: adb680e5c7586df1d183ad1ef4807648.exe
Analysis ID: 1435364
MD5: adb680e5c7586df1d183ad1ef4807648
SHA1: df9c9e796c877100ebe80a457d57d9358401be50
SHA256: 597e094a98f56c0ef8b89cedd7c96d14fca1f5dd25e6e120525246d47de6ba96
Tags: 32exetrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 52%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 50% Perma Link
Multi AV Scanner detection for submitted file
Source: hYrJbjnzVc.exe ReversingLabs: Detection: 52%
Source: hYrJbjnzVc.exe Virustotal: Detection: 51% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: hYrJbjnzVc.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: hYrJbjnzVc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49710
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49710 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49710 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49712
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49713
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49712 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49713 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49719
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49719 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49721
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49721 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49710
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49712
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49713
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49719
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49721
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49710 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_00345940 recv,WSAStartup,closesocket,socket,connect,closesocket, 0_2_00345940
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D25000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 0000000C.00000002.3338900504.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/5
Source: MPGPH131.exe, 00000006.00000002.3339556281.0000000000957000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/M%
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.0000000001290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ameSpace=
Source: RageMP131.exe, 00000008.00000002.3338690809.0000000000937000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/g_Entries
Source: hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 00000008.00000002.3338690809.000000000094D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/tG
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3339556281.0000000000987000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000177C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225R
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225T5
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225r2G
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.000000000125E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3339556281.000000000092E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3338690809.000000000090E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTD
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary
barindex
PE file contains section with special chars
Source: hYrJbjnzVc.exe Static PE information: section name:
Source: hYrJbjnzVc.exe Static PE information: section name: .idata
Source: hYrJbjnzVc.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002BA918 0_2_002BA918
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002BC950 0_2_002BC950
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002B7190 0_2_002B7190
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002CDA74 0_2_002CDA74
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_00370350 0_2_00370350
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002C035F 0_2_002C035F
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002D8BA0 0_2_002D8BA0
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002AF570 0_2_002AF570
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002D47AD 0_2_002D47AD
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_0036CFC0 0_2_0036CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D67190 6_2_00D67190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D6C950 6_2_00D6C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D6A918 6_2_00D6A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D7DA74 6_2_00D7DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D88BA0 6_2_00D88BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D7035F 6_2_00D7035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00E20350 6_2_00E20350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D5F570 6_2_00D5F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00E8FECB 6_2_00E8FECB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00E1CFC0 6_2_00E1CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D847AD 6_2_00D847AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00E90F23 6_2_00E90F23
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D67190 7_2_00D67190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D6C950 7_2_00D6C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D6A918 7_2_00D6A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D7DA74 7_2_00D7DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D88BA0 7_2_00D88BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D7035F 7_2_00D7035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00E20350 7_2_00E20350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D5F570 7_2_00D5F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00E8FECB 7_2_00E8FECB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00E1CFC0 7_2_00E1CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D847AD 7_2_00D847AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00E90F23 7_2_00E90F23
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F17190 8_2_00F17190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F1C950 8_2_00F1C950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F1A918 8_2_00F1A918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F1AADF 8_2_00F1AADF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F2DA74 8_2_00F2DA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F38BA0 8_2_00F38BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F2035F 8_2_00F2035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00FD0350 8_2_00FD0350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F0F570 8_2_00F0F570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00FCCFC0 8_2_00FCCFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F347AD 8_2_00F347AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F17190 12_2_00F17190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F1C950 12_2_00F1C950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F1A918 12_2_00F1A918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F2DA74 12_2_00F2DA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F38BA0 12_2_00F38BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F2035F 12_2_00F2035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00FD0350 12_2_00FD0350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F0F570 12_2_00F0F570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00FCCFC0 12_2_00FCCFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F347AD 12_2_00F347AD
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00D64370 appears 48 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00F14370 appears 48 times
Sample file is different than original file name gathered from version info
Source: hYrJbjnzVc.exe Binary or memory string: OriginalFilename vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000003.2131257623.0000000007327000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000002.3339409472.000000000040F000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000000.2076126335.0000000000847000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000002.3340798675.0000000000847000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe, 00000000.00000002.3346617022.0000000002C88000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Source: hYrJbjnzVc.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs hYrJbjnzVc.exe
Uses 32bit PE files
Source: hYrJbjnzVc.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@1/1
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: hYrJbjnzVc.exe, 00000000.00000003.2086229029.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, hYrJbjnzVc.exe, 00000000.00000002.3338326862.0000000000281000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3340659649.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2169961403.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3338357309.0000000000D31000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2169331680.0000000005620000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3340135861.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2272253211.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3340478716.0000000000EE1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2364731644.0000000005020000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: hYrJbjnzVc.exe ReversingLabs: Detection: 52%
Source: hYrJbjnzVc.exe Virustotal: Detection: 51%
Source: hYrJbjnzVc.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: hYrJbjnzVc.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe File read: C:\Users\user\Desktop\hYrJbjnzVc.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\hYrJbjnzVc.exe "C:\Users\user\Desktop\hYrJbjnzVc.exe"
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: hYrJbjnzVc.exe Static file information: File size 2372608 > 1048576
Source: hYrJbjnzVc.exe Static PE information: Raw size of rtycizfs is bigger than: 0x100000 < 0x194400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Unpacked PE file: 0.2.hYrJbjnzVc.exe.280000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 12.2.RageMP131.exe.ee0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rtycizfs:EW;ybcmmseg:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x245ac8 should be: 0x252c23
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x245ac8 should be: 0x252c23
Source: hYrJbjnzVc.exe Static PE information: real checksum: 0x245ac8 should be: 0x252c23
PE file contains sections with non-standard names
Source: hYrJbjnzVc.exe Static PE information: section name:
Source: hYrJbjnzVc.exe Static PE information: section name: .idata
Source: hYrJbjnzVc.exe Static PE information: section name:
Source: hYrJbjnzVc.exe Static PE information: section name: rtycizfs
Source: hYrJbjnzVc.exe Static PE information: section name: ybcmmseg
Source: hYrJbjnzVc.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: rtycizfs
Source: RageMP131.exe.0.dr Static PE information: section name: ybcmmseg
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: rtycizfs
Source: MPGPH131.exe.0.dr Static PE information: section name: ybcmmseg
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002B3F49 push ecx; ret 0_2_002B3F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00D63F49 push ecx; ret 6_2_00D63F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00D63F49 push ecx; ret 7_2_00D63F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00F13F49 push ecx; ret 8_2_00F13F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 12_2_00F13F49 push ecx; ret 12_2_00F13F5C
Source: hYrJbjnzVc.exe Static PE information: section name: entropy: 7.924289235236996
Source: hYrJbjnzVc.exe Static PE information: section name: rtycizfs entropy: 7.911667279717006
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.924289235236996
Source: RageMP131.exe.0.dr Static PE information: section name: rtycizfs entropy: 7.911667279717006
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.924289235236996
Source: MPGPH131.exe.0.dr Static PE information: section name: rtycizfs entropy: 7.911667279717006
Drops PE files
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 41780A second address: 417825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9630EEA8B0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 417825 second address: 41782F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58D18B second address: 58D190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 57B1D4 second address: 57B207 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 jmp 00007F96311B0BD9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58C0C6 second address: 58C0CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 57B1C6 second address: 57B1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F96311B0C04h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58C391 second address: 58C399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58C399 second address: 58C3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F96311B0BD9h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58C3BE second address: 58C3FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8AFh 0x00000009 jmp 00007F9630EEA8B1h 0x0000000e popad 0x0000000f jmp 00007F9630EEA8ADh 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007F9630EEA8A6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58C3FA second address: 58C3FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58C3FE second address: 58C404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58C88A second address: 58C8A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58C8A7 second address: 58C8AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E47E second address: 58E49D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96311B0BCFh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E49D second address: 58E4A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E4A3 second address: 58E4C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007F96311B0BC8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E4C0 second address: 41780A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F9630EEA8B5h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c mov edi, dword ptr [ebp+122D27D1h] 0x00000012 push dword ptr [ebp+122D0BA5h] 0x00000018 push ebx 0x00000019 jmp 00007F9630EEA8B6h 0x0000001e pop esi 0x0000001f call dword ptr [ebp+122D371Bh] 0x00000025 pushad 0x00000026 pushad 0x00000027 jc 00007F9630EEA8A6h 0x0000002d jmp 00007F9630EEA8ACh 0x00000032 popad 0x00000033 add dword ptr [ebp+122D27D1h], edi 0x00000039 xor eax, eax 0x0000003b pushad 0x0000003c mov ax, bx 0x0000003f mov dword ptr [ebp+122D27D1h], ecx 0x00000045 popad 0x00000046 mov edx, dword ptr [esp+28h] 0x0000004a jc 00007F9630EEA8BBh 0x00000050 jmp 00007F9630EEA8B5h 0x00000055 jmp 00007F9630EEA8AEh 0x0000005a mov dword ptr [ebp+122D2A1Ch], eax 0x00000060 jng 00007F9630EEA8ACh 0x00000066 mov esi, 0000003Ch 0x0000006b pushad 0x0000006c movsx ecx, si 0x0000006f popad 0x00000070 add esi, dword ptr [esp+24h] 0x00000074 xor dword ptr [ebp+122D27D1h], edx 0x0000007a lodsw 0x0000007c cld 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 jmp 00007F9630EEA8B1h 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a xor dword ptr [ebp+122D27D1h], esi 0x00000090 nop 0x00000091 push eax 0x00000092 push ebx 0x00000093 push eax 0x00000094 push edx 0x00000095 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E592 second address: 58E596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E596 second address: 58E615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b xor dword ptr [esp], 0AF9CA52h 0x00000012 jng 00007F9630EEA8B4h 0x00000018 pushad 0x00000019 xor dword ptr [ebp+122D279Dh], ecx 0x0000001f mov ebx, dword ptr [ebp+122D27FEh] 0x00000025 popad 0x00000026 push 00000003h 0x00000028 mov dx, di 0x0000002b push 00000000h 0x0000002d mov esi, 45481381h 0x00000032 push 00000003h 0x00000034 push 832276A9h 0x00000039 pushad 0x0000003a jng 00007F9630EEA8A8h 0x00000040 jnl 00007F9630EEA8B1h 0x00000046 popad 0x00000047 add dword ptr [esp], 3CDD8957h 0x0000004e or dword ptr [ebp+122D27C2h], ebx 0x00000054 lea ebx, dword ptr [ebp+1244A33Eh] 0x0000005a push edi 0x0000005b cmc 0x0000005c pop ecx 0x0000005d xchg eax, ebx 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F9630EEA8B1h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E615 second address: 58E619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E619 second address: 58E64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F9630EEA8B6h 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 jc 00007F9630EEA8ACh 0x00000016 push eax 0x00000017 push edx 0x00000018 jg 00007F9630EEA8A6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E6C4 second address: 58E772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007F96311B0BCCh 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov cx, 9444h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F96311B0BC8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f movzx edx, bx 0x00000032 push 15DEB995h 0x00000037 push ebx 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b push eax 0x0000003c pop eax 0x0000003d popad 0x0000003e pop ebx 0x0000003f xor dword ptr [esp], 15DEB915h 0x00000046 jo 00007F96311B0BCCh 0x0000004c mov dword ptr [ebp+122D2EE7h], eax 0x00000052 push 00000003h 0x00000054 mov di, 0C29h 0x00000058 push 00000000h 0x0000005a mov esi, dword ptr [ebp+122D2BB8h] 0x00000060 push 00000003h 0x00000062 jmp 00007F96311B0BD7h 0x00000067 mov cx, 9C25h 0x0000006b push A0BD3A1Bh 0x00000070 pushad 0x00000071 jmp 00007F96311B0BD5h 0x00000076 push eax 0x00000077 push edx 0x00000078 jc 00007F96311B0BC6h 0x0000007e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58E7CB second address: 58E7D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F9630EEA8ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AEA1A second address: 5AEA45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F96311B0BCAh 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AEA45 second address: 5AEA4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AEA4B second address: 5AEA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AEBB8 second address: 5AEBC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F9630EEA8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AF6FD second address: 5AF704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AFAFD second address: 5AFB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jns 00007F9630EEA8A6h 0x0000000c je 00007F9630EEA8A6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 popad 0x00000018 jng 00007F9630EEA8A6h 0x0000001e pop eax 0x0000001f push ebx 0x00000020 pushad 0x00000021 popad 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop ebx 0x00000025 popad 0x00000026 pushad 0x00000027 pushad 0x00000028 js 00007F9630EEA8A6h 0x0000002e push eax 0x0000002f pop eax 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AFB2F second address: 5AFB38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AFB38 second address: 5AFB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5AFB3C second address: 5AFB40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B0563 second address: 5B0585 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9630EEA8A6h 0x00000008 jno 00007F9630EEA8A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F9630EEA8B2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B0585 second address: 5B05A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD6h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B05A0 second address: 5B05A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B08C2 second address: 5B08F2 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F96311B0BCEh 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F96311B0BD2h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B08F2 second address: 5B08F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B08F8 second address: 5B08FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B3237 second address: 5B323C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B323C second address: 5B3246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B6E04 second address: 5B6E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B6E0E second address: 5B6E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B6E14 second address: 5B6E19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 577BB7 second address: 577BBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5B9756 second address: 5B9765 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F9630EEA8A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BDBE2 second address: 5BDBE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BDBE8 second address: 5BDBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BDBEC second address: 5BDBF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BDBF2 second address: 5BDBF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BD723 second address: 5BD729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BD729 second address: 5BD735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BD873 second address: 5BD87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BD87F second address: 5BD884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BD884 second address: 5BD8A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96311B0BCAh 0x00000008 jmp 00007F96311B0BD2h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BDA45 second address: 5BDA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BDA49 second address: 5BDA4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BDA4D second address: 5BDA6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F9630EEA8AEh 0x0000000e jo 00007F9630EEA8A6h 0x00000014 pushad 0x00000015 popad 0x00000016 je 00007F9630EEA8C7h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BEB15 second address: 5BEB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BEB19 second address: 5BEB1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BEB8E second address: 5BEB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BF479 second address: 5BF4C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push edx 0x00000013 jmp 00007F9630EEA8B6h 0x00000018 pop edx 0x00000019 pushad 0x0000001a jmp 00007F9630EEA8ABh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BFB11 second address: 5BFB15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5BFD41 second address: 5BFD46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C0E6F second address: 5C0E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C1F0D second address: 5C1F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F9630EEA8A8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D2B0Ch] 0x0000002b mov si, dx 0x0000002e push 00000000h 0x00000030 mov di, cx 0x00000033 push 00000000h 0x00000035 mov di, F366h 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b ja 00007F9630EEA8A8h 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 jmp 00007F9630EEA8AAh 0x00000049 popad 0x0000004a popad 0x0000004b push eax 0x0000004c pushad 0x0000004d jng 00007F9630EEA8ACh 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C2B5D second address: 5C2B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BD5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C280F second address: 5C2815 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C2815 second address: 5C2819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C3629 second address: 5C362D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C362D second address: 5C3691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F96311B0BD3h 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F96311B0BD1h 0x00000015 nop 0x00000016 mov esi, 54104D66h 0x0000001b mov esi, edi 0x0000001d push 00000000h 0x0000001f jmp 00007F96311B0BD9h 0x00000024 push 00000000h 0x00000026 xchg eax, ebx 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C4C61 second address: 5C4CBA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F9630EEA8B1h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F9630EEA8A8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 pushad 0x00000034 mov ax, cx 0x00000037 xor di, 4B00h 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f pushad 0x00000040 js 00007F9630EEA8A6h 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C5792 second address: 5C5798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C5798 second address: 5C57A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C8FA5 second address: 5C9003 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F96311B0BCFh 0x0000000f push eax 0x00000010 jmp 00007F96311B0BCAh 0x00000015 pop eax 0x00000016 popad 0x00000017 nop 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F96311B0BC8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 and edi, dword ptr [ebp+122D36E5h] 0x00000038 push 00000000h 0x0000003a movsx edi, dx 0x0000003d push 00000000h 0x0000003f mov di, dx 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 pushad 0x00000047 popad 0x00000048 pop eax 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CA137 second address: 5CA154 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9630EEA8B1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CE15B second address: 5CE176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96311B0BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CE176 second address: 5CE1D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F9630EEA8A8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov bh, C2h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F9630EEA8A8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F9630EEA8B2h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CE1D6 second address: 5CE1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CC216 second address: 5CC21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CD25E second address: 5CD265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CE1DC second address: 5CE1EE instructions: 0x00000000 rdtsc 0x00000002 js 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CC21A second address: 5CC21E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CE1EE second address: 5CE1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CD265 second address: 5CD2D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F96311B0BCCh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 nop 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov edi, dword ptr [ebp+122D2D96h] 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b mov di, 93FEh 0x0000002f mov eax, dword ptr [ebp+122D0BD9h] 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F96311B0BC8h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f jmp 00007F96311B0BCDh 0x00000054 add ebx, 0030E807h 0x0000005a push FFFFFFFFh 0x0000005c mov bx, 52F7h 0x00000060 push eax 0x00000061 push ebx 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CC21E second address: 5CC224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CF1ED second address: 5CF2C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F96311B0BC8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 jnl 00007F96311B0BD2h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F96311B0BC8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D1D9Bh], ecx 0x0000004e push 00000000h 0x00000050 call 00007F96311B0BD2h 0x00000055 or dword ptr [ebp+122D1D1Dh], edx 0x0000005b pop ebx 0x0000005c pushad 0x0000005d call 00007F96311B0BD4h 0x00000062 adc si, 953Fh 0x00000067 pop edi 0x00000068 and esi, dword ptr [ebp+122D2A28h] 0x0000006e popad 0x0000006f xchg eax, esi 0x00000070 jmp 00007F96311B0BD7h 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 push edi 0x00000079 jo 00007F96311B0BC6h 0x0000007f pop edi 0x00000080 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D019A second address: 5D019F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CF49B second address: 5CF49F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5CF49F second address: 5CF4A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D036A second address: 5D0370 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D11C9 second address: 5D11D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F9630EEA8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D0370 second address: 5D037A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F96311B0BCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D31FC second address: 5D3202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D3202 second address: 5D326A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F96311B0BC8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 clc 0x00000029 push 00000000h 0x0000002b mov edi, ecx 0x0000002d push 00000000h 0x0000002f mov di, 829Bh 0x00000033 xchg eax, esi 0x00000034 jmp 00007F96311B0BCDh 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jnp 00007F96311B0BC6h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D432D second address: 5D4339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9630EEA8ACh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D22C5 second address: 5D22CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D1301 second address: 5D1321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jo 00007F9630EEA8A6h 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D4339 second address: 5D4343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D22CA second address: 5D22D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D1321 second address: 5D132B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D4343 second address: 5D43B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007F9630EEA8A8h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 push eax 0x00000022 mov di, dx 0x00000025 pop edi 0x00000026 push 00000000h 0x00000028 mov ebx, esi 0x0000002a mov bh, 14h 0x0000002c push 00000000h 0x0000002e jl 00007F9630EEA8ACh 0x00000034 mov edi, dword ptr [ebp+122D1CF7h] 0x0000003a xchg eax, esi 0x0000003b push edx 0x0000003c pushad 0x0000003d jp 00007F9630EEA8A6h 0x00000043 push esi 0x00000044 pop esi 0x00000045 popad 0x00000046 pop edx 0x00000047 push eax 0x00000048 pushad 0x00000049 pushad 0x0000004a jp 00007F9630EEA8A6h 0x00000050 jmp 00007F9630EEA8B3h 0x00000055 popad 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D132B second address: 5D13BD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d stc 0x0000000e xor bh, FFFFFFB5h 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push ebx 0x00000019 mov ebx, 4AAE37F2h 0x0000001e pop ebx 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 push 00000000h 0x00000028 push ebp 0x00000029 call 00007F96311B0BC8h 0x0000002e pop ebp 0x0000002f mov dword ptr [esp+04h], ebp 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc ebp 0x0000003c push ebp 0x0000003d ret 0x0000003e pop ebp 0x0000003f ret 0x00000040 mov bx, dx 0x00000043 mov eax, dword ptr [ebp+122D1785h] 0x00000049 push 00000000h 0x0000004b push ebp 0x0000004c call 00007F96311B0BC8h 0x00000051 pop ebp 0x00000052 mov dword ptr [esp+04h], ebp 0x00000056 add dword ptr [esp+04h], 0000001Ch 0x0000005e inc ebp 0x0000005f push ebp 0x00000060 ret 0x00000061 pop ebp 0x00000062 ret 0x00000063 jc 00007F96311B0BD2h 0x00000069 jno 00007F96311B0BCCh 0x0000006f push FFFFFFFFh 0x00000071 mov bh, A8h 0x00000073 push eax 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D43B3 second address: 5D43B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D13BD second address: 5D13C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D457B second address: 5D457F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D457F second address: 5D4591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jg 00007F96311B0BC6h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D4591 second address: 5D4596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D669B second address: 5D66A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D6884 second address: 5D688A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D688A second address: 5D68A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F96311B0BC6h 0x00000009 js 00007F96311B0BC6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D68A3 second address: 5D68BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D68BE second address: 5D68C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D68C4 second address: 5D6953 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d pushad 0x0000000e mov esi, dword ptr [ebp+122D2BCCh] 0x00000014 mov eax, ecx 0x00000016 popad 0x00000017 push dword ptr fs:[00000000h] 0x0000001e mov ebx, dword ptr [ebp+122D2A14h] 0x00000024 pushad 0x00000025 mov ax, si 0x00000028 mov dword ptr [ebp+122D3720h], edx 0x0000002e popad 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 movsx edi, di 0x00000039 mov eax, dword ptr [ebp+122D10B5h] 0x0000003f jbe 00007F9630EEA8BBh 0x00000045 je 00007F9630EEA8A8h 0x0000004b mov bl, 4Ch 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push edi 0x00000052 call 00007F9630EEA8A8h 0x00000057 pop edi 0x00000058 mov dword ptr [esp+04h], edi 0x0000005c add dword ptr [esp+04h], 00000014h 0x00000064 inc edi 0x00000065 push edi 0x00000066 ret 0x00000067 pop edi 0x00000068 ret 0x00000069 mov edi, 6F470BC3h 0x0000006e nop 0x0000006f je 00007F9630EEA8B4h 0x00000075 pushad 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D6953 second address: 5D6964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F96311B0BC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D862C second address: 5D86B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 jnp 00007F9630EEA8A8h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F9630EEA8B6h 0x00000014 popad 0x00000015 nop 0x00000016 and edi, dword ptr [ebp+122D26AAh] 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 call 00007F9630EEA8A8h 0x00000026 pop eax 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b add dword ptr [esp+04h], 0000001Bh 0x00000033 inc eax 0x00000034 push eax 0x00000035 ret 0x00000036 pop eax 0x00000037 ret 0x00000038 mov dword ptr [ebp+122D24D4h], eax 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ebx 0x00000043 call 00007F9630EEA8A8h 0x00000048 pop ebx 0x00000049 mov dword ptr [esp+04h], ebx 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc ebx 0x00000056 push ebx 0x00000057 ret 0x00000058 pop ebx 0x00000059 ret 0x0000005a xchg eax, esi 0x0000005b push ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F9630EEA8ABh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D77A4 second address: 5D77AE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D6964 second address: 5D6969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D77AE second address: 5D77B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D6969 second address: 5D696E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D77B8 second address: 5D7848 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+122D2AC0h] 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F96311B0BC8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov bx, CDB2h 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F96311B0BC8h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 0000001Dh 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 mov edi, dword ptr [ebp+122D279Dh] 0x0000005e mov eax, dword ptr [ebp+122D178Dh] 0x00000064 mov dword ptr [ebp+1244566Bh], edx 0x0000006a push FFFFFFFFh 0x0000006c mov di, ax 0x0000006f nop 0x00000070 push eax 0x00000071 push edx 0x00000072 push edx 0x00000073 pushad 0x00000074 popad 0x00000075 pop edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D7848 second address: 5D785F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9630EEA8A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jng 00007F9630EEA8A6h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D785F second address: 5D7865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D7865 second address: 5D7869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D8857 second address: 5D8861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5D8861 second address: 5D8865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E2CFE second address: 5E2D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jp 00007F96311B0BC6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E2D0F second address: 5E2D2A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F9630EEA8ABh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E2D2A second address: 5E2D44 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96311B0BC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F96311B0BCEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E24B0 second address: 5E24B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E24B6 second address: 5E24C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F96311B0BC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E24C1 second address: 5E24CB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9630EEA8AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E7FF9 second address: 5E801E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007F96311B0BD5h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E801E second address: 5E805F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F9630EEA8B5h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F9630EEA8B8h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E812B second address: 41780A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F96311B0BCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xor dword ptr [esp], 4A68932Bh 0x00000011 jmp 00007F96311B0BCFh 0x00000016 push dword ptr [ebp+122D0BA5h] 0x0000001c jmp 00007F96311B0BD6h 0x00000021 call dword ptr [ebp+122D371Bh] 0x00000027 pushad 0x00000028 pushad 0x00000029 jc 00007F96311B0BC6h 0x0000002f jmp 00007F96311B0BCCh 0x00000034 popad 0x00000035 add dword ptr [ebp+122D27D1h], edi 0x0000003b xor eax, eax 0x0000003d pushad 0x0000003e mov ax, bx 0x00000041 mov dword ptr [ebp+122D27D1h], ecx 0x00000047 popad 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c jc 00007F96311B0BDBh 0x00000052 jmp 00007F96311B0BD5h 0x00000057 jmp 00007F96311B0BCEh 0x0000005c mov dword ptr [ebp+122D2A1Ch], eax 0x00000062 jng 00007F96311B0BCCh 0x00000068 mov esi, 0000003Ch 0x0000006d pushad 0x0000006e movsx ecx, si 0x00000071 popad 0x00000072 add esi, dword ptr [esp+24h] 0x00000076 xor dword ptr [ebp+122D27D1h], edx 0x0000007c lodsw 0x0000007e cld 0x0000007f add eax, dword ptr [esp+24h] 0x00000083 jmp 00007F96311B0BD1h 0x00000088 mov ebx, dword ptr [esp+24h] 0x0000008c xor dword ptr [ebp+122D27D1h], esi 0x00000092 nop 0x00000093 push eax 0x00000094 push ebx 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5E96E8 second address: 5E96EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EE6C0 second address: 5EE6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96311B0BCEh 0x00000009 jmp 00007F96311B0BD8h 0x0000000e popad 0x0000000f jmp 00007F96311B0BD2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EE6FD second address: 5EE707 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9630EEA8AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EDA55 second address: 5EDA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EDE2D second address: 5EDE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8B5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EDE46 second address: 5EDE4B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EE12A second address: 5EE146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F9630EEA8B4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EE261 second address: 5EE29A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F96311B0BC6h 0x00000008 jmp 00007F96311B0BD8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F96311B0BD0h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EE54E second address: 5EE554 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5EE554 second address: 5EE567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 ja 00007F96311B0BD6h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5F5A5E second address: 5F5A62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 580287 second address: 58029A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58029A second address: 58029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 58029E second address: 5802A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C69C5 second address: 5C6A48 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9630EEA8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F9630EEA8B6h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F9630EEA8A8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov ecx, 06AEDC74h 0x00000030 lea eax, dword ptr [ebp+1248277Ch] 0x00000036 pushad 0x00000037 jno 00007F9630EEA8ACh 0x0000003d mov dword ptr [ebp+122D3713h], ecx 0x00000043 popad 0x00000044 nop 0x00000045 jne 00007F9630EEA8BEh 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C6A48 second address: 5C6A4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C6A4C second address: 5C6A52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C6A52 second address: 5C6A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C6B54 second address: 5C6B59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C6C60 second address: 5C6C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C6C6D second address: 5C6C71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C6C71 second address: 5C6C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7019 second address: 5C7023 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9630EEA8ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C70E4 second address: 5C70E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C70E9 second address: 5C711B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jnc 00007F9630EEA8B2h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F9630EEA8AFh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C711B second address: 5C7121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7121 second address: 5C7125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C720E second address: 5C7214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7294 second address: 5C72C7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], esi 0x0000000a pushad 0x0000000b jmp 00007F9630EEA8AEh 0x00000010 ja 00007F9630EEA8A8h 0x00000016 popad 0x00000017 nop 0x00000018 push eax 0x00000019 jnp 00007F9630EEA8A8h 0x0000001f pop eax 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C72C7 second address: 5C72CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C72CC second address: 5C72DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8AFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C73BB second address: 5C73DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F96311B0BCDh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C73DF second address: 5C73E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C73E3 second address: 5C7408 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F96311B0BC8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C761D second address: 5C7681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnc 00007F9630EEA8A8h 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F9630EEA8A8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 jmp 00007F9630EEA8B8h 0x0000002c push 00000004h 0x0000002e mov di, B749h 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F9630EEA8B1h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7681 second address: 5C7687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7D3D second address: 5C7D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7D41 second address: 5C7D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7DD5 second address: 5C7DD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7DD9 second address: 5C7DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C7DDF second address: 5C7DE4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5A3617 second address: 5A361D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5A361D second address: 5A3621 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5A3621 second address: 5A3627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5F4C4E second address: 5F4C53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5F55D9 second address: 5F55DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FB69C second address: 5FB6A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FB6A3 second address: 5FB6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FA265 second address: 5FA285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F9630EEA8A6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FA285 second address: 5FA29D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F96311B0BCCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FA41E second address: 5FA42B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F9630EEA8A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FA42B second address: 5FA431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FA692 second address: 5FA69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FA69B second address: 5FA6A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FA6A0 second address: 5FA6A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FA6A7 second address: 5FA6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FAC1B second address: 5FAC24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FAC24 second address: 5FAC28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FAC28 second address: 5FAC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FADAF second address: 5FADD1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007F96311B0BD5h 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5FAF7D second address: 5FAF81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5F9DC7 second address: 5F9DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F96311B0BD3h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5F9DE7 second address: 5F9DFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6006E3 second address: 6006E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 600859 second address: 60086D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9630EEA8ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6046EE second address: 6046F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6046F4 second address: 604705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8ADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 604705 second address: 604719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F96311B0BC6h 0x0000000e jne 00007F96311B0BC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6067CC second address: 6067DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F9630EEA8A6h 0x00000009 pop esi 0x0000000a js 00007F9630EEA8ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6067DE second address: 6067E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 57CC7B second address: 57CC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jno 00007F9630EEA8A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 60A29F second address: 60A2B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F96311B0BC6h 0x00000009 js 00007F96311B0BC6h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 60FFFC second address: 610002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 610002 second address: 61000E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007F96311B0BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 610166 second address: 61016A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 61016A second address: 610188 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F96311B0BD4h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6102E1 second address: 6102FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F9630EEA8B1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6105B5 second address: 6105BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6105BB second address: 6105CF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9630EEA8ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6154ED second address: 6154F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6154F3 second address: 6154F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6154F7 second address: 6154FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6154FB second address: 615501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 615501 second address: 615516 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F96311B0BC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 614A3A second address: 614A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 614A40 second address: 614A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F96311B0BC6h 0x0000000a popad 0x0000000b push esi 0x0000000c jo 00007F96311B0BC6h 0x00000012 pop esi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F96311B0BD1h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 614A6B second address: 614A71 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 614A71 second address: 614A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 614A77 second address: 614A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 614BD4 second address: 614BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 614BD8 second address: 614C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F9630EEA8A8h 0x0000000c je 00007F9630EEA8BCh 0x00000012 jmp 00007F9630EEA8B6h 0x00000017 popad 0x00000018 pushad 0x00000019 jns 00007F9630EEA8AEh 0x0000001f je 00007F9630EEA8A6h 0x00000025 push esi 0x00000026 pop esi 0x00000027 jmp 00007F9630EEA8B7h 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6150E4 second address: 6150E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6150E8 second address: 6150F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F9630EEA8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6150F8 second address: 6150FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6150FE second address: 615102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 61A113 second address: 61A11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 619246 second address: 619263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jnp 00007F9630EEA8AEh 0x0000000e pushad 0x0000000f popad 0x00000010 jo 00007F9630EEA8A6h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6193AC second address: 6193B6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96311B0BC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 619520 second address: 619526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 619526 second address: 61952A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 619970 second address: 61997B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007F9630EEA8A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 619C90 second address: 619CA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F96311B0BC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 619CA4 second address: 619CC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9630EEA8B1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 623834 second address: 623851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jnp 00007F96311B0BCEh 0x0000000d jbe 00007F96311B0BCEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 621A6F second address: 621A9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F9630EEA8A6h 0x00000009 jne 00007F9630EEA8A6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push esi 0x00000013 jmp 00007F9630EEA8AAh 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push ebx 0x00000020 jnl 00007F9630EEA8A6h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 621A9C second address: 621AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 621AA1 second address: 621AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F9630EEA8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 621AAB second address: 621ABF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F96311B0BC6h 0x00000008 jns 00007F96311B0BC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 621ABF second address: 621AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 621AC3 second address: 621AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 62211F second address: 622125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6222AD second address: 6222B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F96311B0BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6222B8 second address: 6222C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F9630EEA8A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 62246C second address: 6224A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jnp 00007F96311B0BC6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push ecx 0x00000017 jns 00007F96311B0BC6h 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jmp 00007F96311B0BD0h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 62286A second address: 622870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 622870 second address: 62287A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 621618 second address: 621636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9630EEA8B8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 628F95 second address: 628F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 628F9B second address: 628FA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 628FA1 second address: 628FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6290F1 second address: 6290FA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6350D3 second address: 63510D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F96311B0BCCh 0x0000000c ja 00007F96311B0BCEh 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F96311B0BD6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 634AE9 second address: 634B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8ACh 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 634B00 second address: 634B0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 634C4F second address: 634C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 js 00007F9630EEA8A6h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 634C5E second address: 634C69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F96311B0BC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 634C69 second address: 634C6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6368AC second address: 6368B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6368B2 second address: 6368C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007F9630EEA8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jp 00007F9630EEA8C0h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6368C9 second address: 6368CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6368CF second address: 6368DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9630EEA8A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 639F76 second address: 639F88 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F96311B0BC6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 639F88 second address: 639F92 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9630EEA8A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 63A0F0 second address: 63A10B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 646D94 second address: 646DAE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9630EEA8A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F9630EEA8AEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 646DAE second address: 646DCD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F96311B0BCAh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F96311B0BCFh 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 646DCD second address: 646DD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 64A11F second address: 64A123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 649F25 second address: 649F51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F9630EEA8ACh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 649F51 second address: 649F5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 649F5B second address: 649F61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 649F61 second address: 649F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 649F6E second address: 649F8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B9h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 649F8D second address: 649F9E instructions: 0x00000000 rdtsc 0x00000002 je 00007F96311B0BCCh 0x00000008 jg 00007F96311B0BC6h 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 64F46F second address: 64F480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F9630EEA8A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 64F480 second address: 64F486 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 64F486 second address: 64F496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F9630EEA8A6h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 64F496 second address: 64F4A4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 64F4A4 second address: 64F4A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 655620 second address: 655624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 655624 second address: 65562C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 655764 second address: 655778 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F96311B0BC6h 0x0000000e jns 00007F96311B0BC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 669982 second address: 669986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 66983B second address: 669850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F96311B0BCAh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 669850 second address: 669854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 669854 second address: 669862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 669862 second address: 669866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 66CCE1 second address: 66CCE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 66CCE5 second address: 66CCFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F9630EEA8ADh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 66CCFA second address: 66CD04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F96311B0BC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 66CD04 second address: 66CD08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 66CD08 second address: 66CD21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F96311B0BCBh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 666619 second address: 66662B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8ACh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 66662B second address: 66662F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 679EDC second address: 679F05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9630EEA8ACh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 679F05 second address: 679F11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F96311B0BC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A2980 second address: 6A2999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A2999 second address: 6A29A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A2B52 second address: 6A2B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A2B56 second address: 6A2B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A2B6C second address: 6A2B7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9630EEA8ABh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A2FFC second address: 6A3013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCEh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A3013 second address: 6A3023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007F9630EEA8A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A31D8 second address: 6A31DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A31DD second address: 6A31E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A31E3 second address: 6A3228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96311B0BCFh 0x00000009 jc 00007F96311B0BC6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F96311B0BD0h 0x0000001a push esi 0x0000001b jno 00007F96311B0BC6h 0x00000021 jmp 00007F96311B0BCFh 0x00000026 pop esi 0x00000027 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A7A96 second address: 6A7AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A7AA2 second address: 6A7AAC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F96311B0BC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A7B25 second address: 6A7B2F instructions: 0x00000000 rdtsc 0x00000002 je 00007F9630EEA8ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A7B2F second address: 6A7B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A7B3B second address: 6A7B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8B8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A7E14 second address: 6A7E30 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007F96311B0BC6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jl 00007F96311B0BD4h 0x00000013 pushad 0x00000014 jnl 00007F96311B0BC6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A9471 second address: 6A9477 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A9477 second address: 6A9491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F96311B0BD2h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A9491 second address: 6A9495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A9495 second address: 6A94B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F96311B0BD5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A94B0 second address: 6A94B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A94B5 second address: 6A94BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6A94BE second address: 6A94C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6AB42B second address: 6AB431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 6AB431 second address: 6AB46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9630EEA8B8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9630EEA8ACh 0x00000011 jmp 00007F9630EEA8B2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F9079E second address: 4F907FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F96311B0BD7h 0x00000008 pop ecx 0x00000009 mov esi, ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebp 0x0000000f jmp 00007F96311B0BD0h 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov eax, ebx 0x0000001c pushfd 0x0000001d jmp 00007F96311B0BD9h 0x00000022 jmp 00007F96311B0BCBh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F907FE second address: 4F90804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F90804 second address: 4F90808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F90808 second address: 4F90870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F9630EEA8B8h 0x00000013 xor esi, 10258F68h 0x00000019 jmp 00007F9630EEA8ABh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F9630EEA8B8h 0x00000025 jmp 00007F9630EEA8B5h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F90870 second address: 4F90883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dx, B80Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F90883 second address: 4F90887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F90887 second address: 4F90895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F6001B second address: 4F60058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9630EEA8AEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9630EEA8AEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F60058 second address: 4F6007E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F96311B0BD2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F6007E second address: 4F600DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 movzx esi, di 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov edx, 0E8208BCh 0x00000011 pushfd 0x00000012 jmp 00007F9630EEA8B5h 0x00000017 xor ecx, 497E8E16h 0x0000001d jmp 00007F9630EEA8B1h 0x00000022 popfd 0x00000023 popad 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F9630EEA8B8h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F600DB second address: 4F600DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F600DF second address: 4F600E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD018E second address: 4FD01BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F96311B0BD7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD01BC second address: 4FD01C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0DF9 second address: 4FC0E3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F96311B0BD0h 0x0000000f push eax 0x00000010 jmp 00007F96311B0BCBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F96311B0BD0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0E3B second address: 4FC0E4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0E4A second address: 4FC0E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0C64 second address: 4FA0C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0C68 second address: 4FA0C84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0C84 second address: 4FA0C8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0C8A second address: 4FA0C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0C8E second address: 4FA0C92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF03A3 second address: 4FF03A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF03A7 second address: 4FF03C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF03C4 second address: 4FF03E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF03E0 second address: 4FF03E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF03E6 second address: 4FF03EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF03EC second address: 4FF03F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF03F0 second address: 4FF0434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F96311B0BCBh 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F96311B0BD6h 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov bx, 3230h 0x00000020 mov edi, 35F5415Ch 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF0434 second address: 4FF043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF043A second address: 4FF043E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF043E second address: 4FF0458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9630EEA8AFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF0458 second address: 4FF045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0E4C second address: 4FD0E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0E50 second address: 4FD0E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0E54 second address: 4FD0E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0E5A second address: 4FD0E81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F96311B0BCEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0E81 second address: 4FD0E86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0E86 second address: 4FD0ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F96311B0BD7h 0x0000000a xor esi, 68019F0Eh 0x00000010 jmp 00007F96311B0BD9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d movsx ebx, si 0x00000020 mov edi, eax 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0ECF second address: 4FD0EDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0EDF second address: 4FD0EEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0EEF second address: 4FD0EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0EF3 second address: 4FD0F0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F60573 second address: 4F605E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9630EEA8B6h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ebx, 748535E4h 0x00000016 movsx edx, ax 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F9630EEA8B2h 0x00000022 add esi, 7AFA6898h 0x00000028 jmp 00007F9630EEA8ABh 0x0000002d popfd 0x0000002e mov ah, BEh 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 pushad 0x00000034 mov edx, 02C8F874h 0x00000039 mov cx, di 0x0000003c popad 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F605E1 second address: 4F605E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F605E5 second address: 4F605EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD04BC second address: 4FD04C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD04C2 second address: 4FD04E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD04E2 second address: 4FD04E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD04E8 second address: 4FD05AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e pushfd 0x0000000f jmp 00007F9630EEA8B9h 0x00000014 sub cl, FFFFFFF6h 0x00000017 jmp 00007F9630EEA8B1h 0x0000001c popfd 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 push ecx 0x00000022 jmp 00007F9630EEA8B3h 0x00000027 pop eax 0x00000028 mov si, bx 0x0000002b popad 0x0000002c mov eax, dword ptr [ebp+08h] 0x0000002f pushad 0x00000030 push ebx 0x00000031 pushfd 0x00000032 jmp 00007F9630EEA8ACh 0x00000037 adc cx, 2D78h 0x0000003c jmp 00007F9630EEA8ABh 0x00000041 popfd 0x00000042 pop ecx 0x00000043 pushfd 0x00000044 jmp 00007F9630EEA8B9h 0x00000049 xor si, FE16h 0x0000004e jmp 00007F9630EEA8B1h 0x00000053 popfd 0x00000054 popad 0x00000055 and dword ptr [eax], 00000000h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov ecx, 70A3E195h 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE011A second address: 4FE0136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0136 second address: 4FE013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE013A second address: 4FE014D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F8086B second address: 4F8089B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F9630EEA8B0h 0x0000000b sub esi, 06BD0578h 0x00000011 jmp 00007F9630EEA8ABh 0x00000016 popfd 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F8089B second address: 4F8089F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F8089F second address: 4F808A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F808A3 second address: 4F808A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F808A9 second address: 4F808D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9630EEA8ABh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 mov si, dx 0x00000015 pop ebx 0x00000016 mov ecx, 0F836623h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov si, FA11h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0BDA second address: 4FE0C6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F96311B0BD7h 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ecx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F96311B0BD0h 0x00000014 and ecx, 2723AD08h 0x0000001a jmp 00007F96311B0BCBh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F96311B0BD8h 0x00000026 sbb eax, 561A4F68h 0x0000002c jmp 00007F96311B0BCBh 0x00000031 popfd 0x00000032 popad 0x00000033 push eax 0x00000034 jmp 00007F96311B0BD9h 0x00000039 xchg eax, ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0C6A second address: 4FE0C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0C6E second address: 4FE0C81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0C81 second address: 4FE0C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0C87 second address: 4FE0C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0C8B second address: 4FE0CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [774365FCh] 0x0000000d jmp 00007F9630EEA8B7h 0x00000012 test eax, eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9630EEA8B5h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0CC8 second address: 4FE0CCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0CCE second address: 4FE0CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0CD2 second address: 4FE0D37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F96A3583852h 0x0000000e jmp 00007F96311B0BCFh 0x00000013 mov ecx, eax 0x00000015 jmp 00007F96311B0BD6h 0x0000001a xor eax, dword ptr [ebp+08h] 0x0000001d jmp 00007F96311B0BD1h 0x00000022 and ecx, 1Fh 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F96311B0BD3h 0x0000002d mov edx, eax 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA000C second address: 4FA0013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0013 second address: 4FA005E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F96311B0BCAh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F96311B0BCCh 0x00000012 jmp 00007F96311B0BD2h 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F96311B0BD7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA005E second address: 4FA0086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dh, FCh 0x00000010 movzx ecx, bx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0086 second address: 4FA00EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F96311B0BCCh 0x00000009 sub esi, 2D5B5D28h 0x0000000f jmp 00007F96311B0BCBh 0x00000014 popfd 0x00000015 mov cx, D21Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c and esp, FFFFFFF8h 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F96311B0BD0h 0x00000026 sbb eax, 57AC8F88h 0x0000002c jmp 00007F96311B0BCBh 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 call 00007F96311B0BD6h 0x00000039 pop ecx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA00EF second address: 4FA0112 instructions: 0x00000000 rdtsc 0x00000002 mov dh, 5Eh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9630EEA8B9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0112 second address: 4FA0130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e push eax 0x0000000f push edx 0x00000010 mov bh, 3Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0130 second address: 4FA0163 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 75C1h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F9630EEA8ACh 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 mov edi, eax 0x00000013 mov di, cx 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9630EEA8B2h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0163 second address: 4FA0175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0175 second address: 4FA019E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F9630EEA8B7h 0x0000000e mov ebx, dword ptr [ebp+10h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA019E second address: 4FA01A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA01A2 second address: 4FA01BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA01BD second address: 4FA01F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F96311B0BCBh 0x00000009 sbb ch, FFFFFFBEh 0x0000000c jmp 00007F96311B0BD9h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA01F3 second address: 4FA01F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA01F7 second address: 4FA01FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA01FD second address: 4FA0250 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov cx, bx 0x0000000e call 00007F9630EEA8ADh 0x00000013 pop edi 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ah, dh 0x0000001b pushfd 0x0000001c jmp 00007F9630EEA8B0h 0x00000021 sbb cx, 2278h 0x00000026 jmp 00007F9630EEA8ABh 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0250 second address: 4FA02B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F96311B0BCBh 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, dword ptr [ebp+08h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F96311B0BD5h 0x00000016 adc eax, 2C5255C6h 0x0000001c jmp 00007F96311B0BD1h 0x00000021 popfd 0x00000022 call 00007F96311B0BD0h 0x00000027 mov si, 2281h 0x0000002b pop ecx 0x0000002c popad 0x0000002d push ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov ebx, 580EEB0Ah 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA02B4 second address: 4FA0300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8ADh 0x00000009 xor esi, 4EB63886h 0x0000000f jmp 00007F9630EEA8B1h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], edi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F9630EEA8B9h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0300 second address: 4FA0326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F96311B0BCDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0326 second address: 4FA03B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F96A32F8B80h 0x0000000f jmp 00007F9630EEA8AEh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F9630EEA8AEh 0x00000022 and ecx, 3347AA48h 0x00000028 jmp 00007F9630EEA8ABh 0x0000002d popfd 0x0000002e mov esi, 241C2DBFh 0x00000033 popad 0x00000034 je 00007F96A32F8B53h 0x0000003a jmp 00007F9630EEA8B2h 0x0000003f mov edx, dword ptr [esi+44h] 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F9630EEA8B7h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA03B2 second address: 4FA03CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BD4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA03CA second address: 4FA03CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA03CE second address: 4FA043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007F96311B0BD7h 0x00000010 test edx, 61000000h 0x00000016 jmp 00007F96311B0BD6h 0x0000001b jne 00007F96A35BEE42h 0x00000021 jmp 00007F96311B0BD0h 0x00000026 test byte ptr [esi+48h], 00000001h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F96311B0BD7h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA043F second address: 4FA04A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8AFh 0x00000009 sbb esi, 57CD576Eh 0x0000000f jmp 00007F9630EEA8B9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F9630EEA8B0h 0x0000001b xor al, FFFFFFE8h 0x0000001e jmp 00007F9630EEA8ABh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 jne 00007F96A32F8AB2h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA04A1 second address: 4FA04A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA04A5 second address: 4FA04AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA04AB second address: 4FA04C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F96311B0BD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC02F6 second address: 4FC02FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC02FC second address: 4FC0302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0302 second address: 4FC0334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F9630EEA8B0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 pop edi 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0334 second address: 4FC0339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0339 second address: 4FC03B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9630EEA8B1h 0x0000000a adc ecx, 465A6D36h 0x00000010 jmp 00007F9630EEA8B1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b mov cx, 90C3h 0x0000001f mov ch, 76h 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 pushfd 0x00000028 jmp 00007F9630EEA8B7h 0x0000002d or ecx, 2A2AEB1Eh 0x00000033 jmp 00007F9630EEA8B9h 0x00000038 popfd 0x00000039 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC03B0 second address: 4FC03EE instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov di, si 0x0000000a popad 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007F96311B0BD6h 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F96311B0BD7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC03EE second address: 4FC0406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0406 second address: 4FC0423 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F96311B0BCCh 0x0000000f push eax 0x00000010 push edx 0x00000011 mov eax, 12217E87h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0423 second address: 4FC0466 instructions: 0x00000000 rdtsc 0x00000002 mov cx, 7C23h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F9630EEA8B6h 0x0000000f xchg eax, esi 0x00000010 jmp 00007F9630EEA8B0h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9630EEA8ADh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0466 second address: 4FC046A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC046A second address: 4FC0470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0470 second address: 4FC048E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, 3BAA7B3Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F96311B0BCCh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC048E second address: 4FC0494 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0494 second address: 4FC04C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, AFC3h 0x00000007 mov ah, 85h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, dword ptr [ebp+08h] 0x0000000f jmp 00007F96311B0BCBh 0x00000014 sub ebx, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F96311B0BD2h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC04C4 second address: 4FC0543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c jmp 00007F9630EEA8B4h 0x00000011 mov ax, 6671h 0x00000015 popad 0x00000016 je 00007F96A32D0745h 0x0000001c pushad 0x0000001d mov di, si 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F9630EEA8B4h 0x00000027 or ah, 00000078h 0x0000002a jmp 00007F9630EEA8ABh 0x0000002f popfd 0x00000030 mov si, 59AFh 0x00000034 popad 0x00000035 popad 0x00000036 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003d pushad 0x0000003e call 00007F9630EEA8B0h 0x00000043 pushad 0x00000044 popad 0x00000045 pop eax 0x00000046 push eax 0x00000047 push edx 0x00000048 mov eax, edi 0x0000004a rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0543 second address: 4FC0578 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 0AEEh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ecx, esi 0x0000000b jmp 00007F96311B0BD5h 0x00000010 je 00007F96A3596A06h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F96311B0BCDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0578 second address: 4FC05E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 call 00007F9630EEA8B8h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test byte ptr [77436968h], 00000002h 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F9630EEA8B7h 0x0000001d sbb al, 0000000Eh 0x00000020 jmp 00007F9630EEA8B9h 0x00000025 popfd 0x00000026 mov ebx, esi 0x00000028 popad 0x00000029 jne 00007F96A32D0682h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov dx, 0F46h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC06F0 second address: 4FC0724 instructions: 0x00000000 rdtsc 0x00000002 call 00007F96311B0BCAh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F96311B0BD1h 0x00000011 push dword ptr [ebp+14h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F96311B0BCDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC076A second address: 4FC0770 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC0770 second address: 4FC07A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edx, cx 0x00000011 jmp 00007F96311B0BD6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC07A7 second address: 4FC07AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC07AD second address: 4FC07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC07B1 second address: 4FC07CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FC07CB second address: 4FC07DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50119D1 second address: 5011A2E instructions: 0x00000000 rdtsc 0x00000002 mov ch, 24h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F9630EEA8B3h 0x0000000f and ah, 0000003Eh 0x00000012 jmp 00007F9630EEA8B9h 0x00000017 popfd 0x00000018 mov ecx, 04F95887h 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F9630EEA8B9h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5011A2E second address: 5011AA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 0000007Fh 0x0000000b pushad 0x0000000c mov ebx, ecx 0x0000000e pushfd 0x0000000f jmp 00007F96311B0BD8h 0x00000014 adc si, DEF8h 0x00000019 jmp 00007F96311B0BCBh 0x0000001e popfd 0x0000001f popad 0x00000020 push 00000001h 0x00000022 jmp 00007F96311B0BD6h 0x00000027 push dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F96311B0BD7h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5011AD8 second address: 5011AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, al 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov esi, ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5011AE6 second address: 50119D1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F96311B0BCDh 0x00000008 sub eax, 0BFC1FB6h 0x0000000e jmp 00007F96311B0BD1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx ecx, bx 0x00000019 popad 0x0000001a retn 0004h 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call ebx 0x00000023 mov edi, edi 0x00000025 pushad 0x00000026 jmp 00007F96311B0BD0h 0x0000002b mov ebx, eax 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f jmp 00007F96311B0BCCh 0x00000034 push eax 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F96311B0BD1h 0x0000003c jmp 00007F96311B0BCBh 0x00000041 popfd 0x00000042 push eax 0x00000043 push edx 0x00000044 mov di, si 0x00000047 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C1AD8 second address: 5C1ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C1ADC second address: 5C1B07 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F96311B0BD9h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F96311B0BC6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C1B07 second address: 5C1B0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5C1B0B second address: 5C1B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F6024E second address: 4F6027B instructions: 0x00000000 rdtsc 0x00000002 mov al, dl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, si 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F9630EEA8B6h 0x00000010 push eax 0x00000011 pushad 0x00000012 mov eax, edx 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F6027B second address: 4F60296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F603BC second address: 4F603DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c movzx eax, di 0x0000000f push eax 0x00000010 push edx 0x00000011 mov edi, 3541D18Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F40BB1 second address: 4F40C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2929046Ah 0x00000008 pushfd 0x00000009 jmp 00007F96311B0BCBh 0x0000000e jmp 00007F96311B0BD3h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 call 00007F96311B0BD4h 0x0000001e movzx esi, dx 0x00000021 pop edi 0x00000022 mov cx, FCA3h 0x00000026 popad 0x00000027 push eax 0x00000028 jmp 00007F96311B0BD9h 0x0000002d xchg eax, ebp 0x0000002e jmp 00007F96311B0BCEh 0x00000033 mov ebp, esp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F96311B0BD7h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F40C3F second address: 4F40C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4F40C57 second address: 4F40C68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a mov cx, dx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF04C4 second address: 4FF04C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF04C8 second address: 4FF04E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF04E3 second address: 4FF04FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF04FB second address: 4FF04FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF04FF second address: 4FF053F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F9630EEA8B3h 0x00000013 xor cx, 6C6Eh 0x00000018 jmp 00007F9630EEA8B9h 0x0000001d popfd 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FF053F second address: 4FF0571 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, cx 0x00000009 popad 0x0000000a pop ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007F96311B0BD2h 0x00000014 or ax, 0B18h 0x00000019 jmp 00007F96311B0BCBh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD00C2 second address: 4FD00C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD00C6 second address: 4FD00CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD00CC second address: 4FD00DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9630EEA8ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD00DC second address: 4FD00E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD00E0 second address: 4FD0110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F9630EEA8ACh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F9630EEA8B0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0110 second address: 4FD0114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FD0114 second address: 4FD011A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0E09 second address: 4FA0E50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 mov bh, 1Ah 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, 8322h 0x00000013 pushfd 0x00000014 jmp 00007F96311B0BD3h 0x00000019 xor ax, D01Eh 0x0000001e jmp 00007F96311B0BD9h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0E50 second address: 4FA0E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0E56 second address: 4FA0E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0E5A second address: 4FA0E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0E7A second address: 4FA0E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0E7E second address: 4FA0E99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0E99 second address: 4FA0E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FA0E9F second address: 4FA0EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5030374 second address: 50303BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f pushfd 0x00000010 jmp 00007F96311B0BD6h 0x00000015 sub esi, 79DD2488h 0x0000001b jmp 00007F96311B0BCBh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50303BD second address: 5030455 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9630EEA8AFh 0x00000008 mov bh, ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushad 0x00000010 mov eax, ebx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 jmp 00007F9630EEA8B9h 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push ecx 0x0000001f movsx edx, ax 0x00000022 pop esi 0x00000023 push ebx 0x00000024 movzx ecx, bx 0x00000027 pop edx 0x00000028 popad 0x00000029 push dword ptr [ebp+0Ch] 0x0000002c pushad 0x0000002d call 00007F9630EEA8B6h 0x00000032 pushfd 0x00000033 jmp 00007F9630EEA8B2h 0x00000038 jmp 00007F9630EEA8B5h 0x0000003d popfd 0x0000003e pop eax 0x0000003f mov cx, dx 0x00000042 popad 0x00000043 push dword ptr [ebp+08h] 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5030455 second address: 5030459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5030459 second address: 503045D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 503045D second address: 5030463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5030463 second address: 503049E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9630EEA8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F9630EEA8A9h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9630EEA8B5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 503049E second address: 50304BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50304BA second address: 50304BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50304BE second address: 50304C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50304C4 second address: 50305A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8ABh 0x00000009 sub ch, 0000006Eh 0x0000000c jmp 00007F9630EEA8B9h 0x00000011 popfd 0x00000012 mov ebx, eax 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F9630EEA8ADh 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 call 00007F9630EEA8B7h 0x00000028 jmp 00007F9630EEA8B8h 0x0000002d pop eax 0x0000002e pushfd 0x0000002f jmp 00007F9630EEA8ABh 0x00000034 sub ecx, 0906F68Eh 0x0000003a jmp 00007F9630EEA8B9h 0x0000003f popfd 0x00000040 popad 0x00000041 mov dword ptr [esp+04h], eax 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F9630EEA8B7h 0x0000004c and cx, 149Eh 0x00000051 jmp 00007F9630EEA8B9h 0x00000056 popfd 0x00000057 push eax 0x00000058 push edx 0x00000059 mov ax, 66BDh 0x0000005d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50305A8 second address: 50305AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50305AC second address: 50305BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50305BA second address: 50305BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 50305BE second address: 50305C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5030608 second address: 5030617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F96311B0BCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5030617 second address: 5030649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8AFh 0x00000009 add cl, 0000001Eh 0x0000000c jmp 00007F9630EEA8B9h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 5030649 second address: 503066D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx eax, al 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F96311B0BD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 503066D second address: 5030673 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE05F4 second address: 4FE0601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0601 second address: 4FE0605 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE0605 second address: 4FE060B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE060B second address: 4FE064B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9630EEA8B2h 0x00000009 or cx, 3ED8h 0x0000000e jmp 00007F9630EEA8ABh 0x00000013 popfd 0x00000014 mov dx, si 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F9630EEA8B0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe RDTSC instruction interceptor: First address: 4FE064B second address: 4FE0655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 427D80E4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Special instruction interceptor: First address: 41787E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Special instruction interceptor: First address: 5B7A1F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Special instruction interceptor: First address: 41518A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Special instruction interceptor: First address: 5C6BCB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Special instruction interceptor: First address: 62B4DF instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: EC787E instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1067A1F instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: EC518A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1076BCB instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 10DB4DF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 107787E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1217A1F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 107518A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1226BCB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 128B4DF instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_05020CC3 rdtsc 0_2_05020CC3
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Window / User API: threadDelayed 506 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Window / User API: threadDelayed 672 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Window / User API: threadDelayed 4686 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 2876 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 2836 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 631 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4870 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1224 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1280 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1266 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1249 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1280 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 378 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 1540 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 1540 Thread sleep time: -82041s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 1424 Thread sleep count: 506 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 1424 Thread sleep time: -1012506s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 572 Thread sleep count: 119 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 5504 Thread sleep count: 672 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 5504 Thread sleep time: -1344672s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 572 Thread sleep count: 256 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 5936 Thread sleep count: 4686 > 30 Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe TID: 5936 Thread sleep time: -9376686s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3052 Thread sleep count: 55 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3052 Thread sleep time: -110055s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6480 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6480 Thread sleep time: -112056s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5968 Thread sleep count: 69 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3196 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3196 Thread sleep time: -118059s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5968 Thread sleep count: 318 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5968 Thread sleep time: -32118s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2792 Thread sleep count: 2876 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2792 Thread sleep time: -5754876s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3088 Thread sleep count: 2836 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3088 Thread sleep time: -5674836s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1372 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1372 Thread sleep time: -76038s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5492 Thread sleep count: 631 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5492 Thread sleep time: -1262631s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6860 Thread sleep count: 67 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6860 Thread sleep count: 286 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3560 Thread sleep count: 4870 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3560 Thread sleep time: -9744870s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6124 Thread sleep count: 1224 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6124 Thread sleep time: -2449224s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3784 Thread sleep count: 1280 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3784 Thread sleep time: -2561280s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1080 Thread sleep count: 102 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1080 Thread sleep count: 339 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1080 Thread sleep time: -34239s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6904 Thread sleep count: 1266 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6904 Thread sleep time: -2533266s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5952 Thread sleep count: 1249 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5952 Thread sleep time: -2499249s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6292 Thread sleep count: 123 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4024 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4024 Thread sleep time: -84042s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6268 Thread sleep count: 1280 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6268 Thread sleep time: -2561280s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6292 Thread sleep count: 378 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6292 Thread sleep time: -38178s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RageMP131.exe, RageMP131.exe, 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.0000000001250000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000J
Source: hYrJbjnzVc.exe, 00000000.00000003.2142690858.00000000012CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: hYrJbjnzVc.exe, 00000000.00000002.3341233164.0000000000F5C000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}$
Source: RageMP131.exe, 0000000C.00000002.3338094758.0000000000AFC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: RageMP131.exe, 0000000C.00000003.2427156911.0000000000D68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.0000000001290000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_933EE5DA
Source: MPGPH131.exe, 00000007.00000003.2210426857.0000000001785000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6b
Source: MPGPH131.exe, 00000007.00000002.3341384311.0000000001785000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}~
Source: RageMP131.exe, 0000000C.00000003.2427156911.0000000000D68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: hYrJbjnzVc.exe, 00000000.00000003.2142690858.00000000012D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};
Source: MPGPH131.exe, 00000007.00000002.3341384311.0000000001785000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_dih
Source: MPGPH131.exe, 00000006.00000002.3339556281.0000000000987000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: RageMP131.exe, 00000008.00000003.2316246161.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.3338352457.00000000006FC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}4
Source: hYrJbjnzVc.exe, 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3341333728.0000000001046000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3339709367.0000000001046000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3340597184.00000000011F6000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000002.3341384311.000000000171B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000q
Source: RageMP131.exe, 0000000C.00000003.2427156911.0000000000D68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: hYrJbjnzVc.exe, 00000000.00000002.3343201264.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3341384311.000000000176D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3338690809.0000000000967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3338900504.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 00000008.00000002.3338690809.000000000097C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_933EE5DA
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_05020CC3 rdtsc 0_2_05020CC3
Source: hYrJbjnzVc.exe, hYrJbjnzVc.exe, 00000000.00000002.3339682785.0000000000596000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000C.00000002.3341151629.00000000011F6000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: >Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Code function: 0_2_002B360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_002B360D
Source: C:\Users\user\Desktop\hYrJbjnzVc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: hYrJbjnzVc.exe PID: 1968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7080, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: hYrJbjnzVc.exe PID: 1968, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6976, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 3992, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7080, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435364 Sample: hYrJbjnzVc.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 31 ipinfo.io 2->31 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected RisePro Stealer 2->39 41 3 other signatures 2->41 8 hYrJbjnzVc.exe 1 9 2->8         started        13 RageMP131.exe 2 2->13         started        15 MPGPH131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 33 147.45.47.93, 49710, 49712, 49713 FREE-NET-ASFREEnetEU Russian Federation 8->33 27 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->27 dropped 29 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->29 dropped 43 Detected unpacking (changes PE section rights) 8->43 45 Found stalling execution ending in API Sleep call 8->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 8->47 49 Tries to detect virtualization through RDTSC time measurements 8->49 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        51 Multi AV Scanner detection for dropped file 13->51 53 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->53 55 Machine Learning detection for dropped file 13->55 57 Tries to evade debugger and weak emulator (self modifying code) 15->57 59 Hides threads from debuggers 15->59 61 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->61 file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true