Windows Analysis Report
vEaFCBsRb7.exe

Overview

General Information

Sample name: vEaFCBsRb7.exe
renamed because original name is a hash value
Original sample name: 26a3d2286a1e78d1fef731b2e4a7b389.exe
Analysis ID: 1435467
MD5: 26a3d2286a1e78d1fef731b2e4a7b389
SHA1: 372cc99f7f3ab79634eb3328d363ad101ba3ecce
SHA256: c00c36358caf5c06ae1e15c85fd3eb680b3e668d02fdff60979c8cfd0c68d0ad
Tags: 32exetrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/cost/go.exe Virustotal: Detection: 25% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exeh Virustotal: Detection: 16% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.ex Virustotal: Detection: 16% Perma Link
Source: http://193.233.132.56/cost/sok.exe Virustotal: Detection: 23% Perma Link
Source: http://193.233.132.56/cost/lenin.exe Virustotal: Detection: 26% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 52%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 51% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 51% Perma Link
Multi AV Scanner detection for submitted file
Source: vEaFCBsRb7.exe ReversingLabs: Detection: 52%
Source: vEaFCBsRb7.exe Virustotal: Detection: 51% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: vEaFCBsRb7.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F93EB0 CryptUnprotectData,CryptUnprotectData, 9_2_00F93EB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F93EB0 CryptUnprotectData,CryptUnprotectData, 10_2_00F93EB0
Uses 32bit PE files
Source: vEaFCBsRb7.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F933B0 FindFirstFileA,FindNextFileA, 9_2_00F933B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FB3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 9_2_00FB3B20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F01F8C FindFirstFileExW, 9_2_00F01F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F933B0 FindFirstFileA,FindNextFileA,FindClose, 10_2_00F933B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FB3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 10_2_00FB3B20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F01F8C FindFirstFileExW, 10_2_00F01F8C

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49714
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49714 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49715
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49715 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49714
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49715
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 172.67.75.166 172.67.75.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_00105940 recv,WSAStartup,closesocket,socket,connect,closesocket, 0_2_00105940
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.ex
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.000000000138A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeh
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.000000000138A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe$
Source: RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe1
Source: RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exemadka.exbot
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.000000000138A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084A0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe225-
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.000000000138A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084A0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe
Source: RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe.1
Source: RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe?
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exeea.exe
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exew
Source: vEaFCBsRb7.exe, 00000000.00000002.3231385899.0000000000041000.00000040.00000001.01000000.00000003.sdmp, vEaFCBsRb7.exe, 00000000.00000003.1983935215.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3231393001.0000000000431000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2036916147.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3231395822.0000000000431000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2038042758.00000000051E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3124049233.0000000000ED1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.2177106825.0000000005580000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2268284285.00000000057E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3116069122.0000000000ED1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3119070125.00000000019E9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2677242875.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.3027891603.00000000019E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/2
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.000000000160A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/cint
Source: RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/d
Source: MPGPH131.exe, 00000006.00000002.3235354494.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3126250989.0000000001981000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2677242875.00000000019B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: RageMP131.exe, 00000009.00000003.2938807474.00000000019BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940724442.00000000019BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127041587.00000000019C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2251&
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2257
Source: RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2677242875.00000000019B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2259
Source: MPGPH131.exe, 00000006.00000002.3235354494.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225F
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225Q
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225c
Source: MPGPH131.exe, 00000006.00000003.2763089667.0000000001200000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225r
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/n
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.000000000193C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001981000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225F
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.000000000160A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3117805791.000000000195D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3119070125.00000000019E9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2677242875.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.3027891603.00000000019E5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.0000000001998000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: MPGPH131.exe, 00000006.00000002.3235354494.000000000115D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/L6
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.000000000160A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.0000000001410000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3126250989.0000000001969000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.00000000015E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/X
Source: vEaFCBsRb7.exe, 00000000.00000002.3231385899.0000000000041000.00000040.00000001.01000000.00000003.sdmp, vEaFCBsRb7.exe, 00000000.00000003.1983935215.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3231393001.0000000000431000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2036916147.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3231395822.0000000000431000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2038042758.00000000051E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3124049233.0000000000ED1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.2177106825.0000000005580000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2268284285.00000000057E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3116069122.0000000000ED1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 0000000A.00000002.3117805791.000000000195D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.00000000015EE000.00000004.00000020.00020000.00000000.sdmp, vEaFCBsRb7.exe, 00000000.00000002.3235371502.000000000160A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.000000000111D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.0000000001410000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3126250989.000000000191A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.000000000194E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: MPGPH131.exe, 00000007.00000002.3235201337.00000000013BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225K8G
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001969000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225X
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.000000000160A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: MPGPH131.exe, 00000007.00000002.3235201337.0000000001410000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225A
Source: RageMP131.exe, 0000000A.00000002.3117805791.000000000193C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225G
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001969000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225P
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001981000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.%G
Source: MPGPH131.exe, 00000006.00000002.3235354494.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.R5
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.000000000157E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.000000000111D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.000000000138A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941479862.0000000008123000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940272026.0000000008123000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2942013456.0000000008123000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3126250989.00000000018DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3126250989.0000000001957000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940922087.0000000008123000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3130008466.0000000008123000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.000000000191B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084B1000.00000004.00000020.00020000.00000000.sdmp, YZiM0LfOCL0wAoFFqwq287m.zip.10.dr, MGAxghooOX7va8QMyrnsU_W.zip.9.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000009.00000002.3126250989.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT-
Source: RageMP131.exe, 0000000A.00000002.3123655863.00000000084EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTAq
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.000000000157E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTO
Source: RageMP131.exe, 0000000A.00000003.2677242875.00000000019B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.000000000197F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2934224778.0000000008891000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2934413687.0000000008851000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084B1000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.10.dr String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000003.2763203895.00000000011F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botftm
Source: MPGPH131.exe, 00000006.00000003.2763203895.00000000011F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: RageMP131.exe, 00000009.00000003.2941921958.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940827840.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941428467.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2938906121.00000000019B5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3127006702.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940227625.00000000019B7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2973150979.00000000019B8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2677242875.00000000019B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater
Source: MPGPH131.exe, 00000006.00000003.2763203895.00000000011F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlaterBt
Source: MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.z
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: RageMP131.exe, 00000009.00000003.2755790436.000000000817D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2752679715.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2755577893.00000000088D5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2916837123.0000000008848000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2753096632.0000000008509000.00000004.00000020.00020000.00000000.sdmp, W44NXfpgbImZWeb Data.9.dr, TRDKrWwetNazWeb Data.10.dr, B1xZ4zWQ2d_TWeb Data.10.dr, 7uolldSk5KT8Web Data.9.dr, vIW_0PZSD0myWeb Data.10.dr, NhFbDsJoIRBGWeb Data.9.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RageMP131.exe, 00000009.00000003.2828113447.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2830416264.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2831360425.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2832188937.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940922087.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2748493112.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941479862.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3130008466.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2829713477.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2830079340.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940272026.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2828415359.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2829208095.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2942013456.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2921042003.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2750221108.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2930691596.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2926661635.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2927097367.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2915101922.00000000084EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ph
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RageMP131.exe, 00000009.00000003.2828113447.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2830416264.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2831360425.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2832188937.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940922087.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2748493112.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941479862.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3130008466.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2829713477.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2830079340.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940272026.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2828415359.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2829208095.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2942013456.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2921042003.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2750221108.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2930691596.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2926661635.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2927097367.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2915101922.00000000084EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/_1
Source: RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: RageMP131.exe, 0000000A.00000002.3123655863.00000000084A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/atataV
Source: RageMP131.exe, 00000009.00000003.2828113447.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2830416264.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2831360425.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2832188937.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940922087.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2748493112.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2941479862.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3130008466.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2829713477.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2830079340.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2940272026.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2828415359.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2829208095.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.2942013456.0000000008163000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2921042003.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2750221108.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3123655863.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2930691596.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2926661635.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2927097367.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2915101922.00000000084EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RageMP131.exe, 0000000A.00000002.3123655863.00000000084A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: vEaFCBsRb7.exe Static PE information: section name:
Source: vEaFCBsRb7.exe Static PE information: section name: .idata
Source: vEaFCBsRb7.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_0007A918 0_2_0007A918
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_0007C950 0_2_0007C950
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_00077190 0_2_00077190
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_0008DA74 0_2_0008DA74
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_00130350 0_2_00130350
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_0008035F 0_2_0008035F
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_00098BA0 0_2_00098BA0
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_0006F570 0_2_0006F570
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_000947AD 0_2_000947AD
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_0012CFC0 0_2_0012CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0046C950 6_2_0046C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0046A918 6_2_0046A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00467190 6_2_00467190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0047DA74 6_2_0047DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00520350 6_2_00520350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0047035F 6_2_0047035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00488BA0 6_2_00488BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045F570 6_2_0045F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0051CFC0 6_2_0051CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004847AD 6_2_004847AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0046C950 7_2_0046C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0046A918 7_2_0046A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00467190 7_2_00467190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0047DA74 7_2_0047DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00520350 7_2_00520350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0047035F 7_2_0047035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00488BA0 7_2_00488BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0045F570 7_2_0045F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0051CFC0 7_2_0051CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004847AD 7_2_004847AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FC8080 9_2_00FC8080
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F1001D 9_2_00F1001D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F661D0 9_2_00F661D0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FAD2B0 9_2_00FAD2B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FAC3E0 9_2_00FAC3E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FAB7E0 9_2_00FAB7E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F4F730 9_2_00F4F730
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00EDB8E0 9_2_00EDB8E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FA49B0 9_2_00FA49B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0100C8D0 9_2_0100C8D0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F68A80 9_2_00F68A80
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F61A60 9_2_00F61A60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F6CBF0 9_2_00F6CBF0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F28BA0 9_2_00F28BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F77D20 9_2_00F77D20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F63ED0 9_2_00F63ED0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F6AEC0 9_2_00F6AEC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F5DF60 9_2_00F5DF60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_01013160 9_2_01013160
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F07190 9_2_00F07190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_010140A0 9_2_010140A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_010020C0 9_2_010020C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F71130 9_2_00F71130
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F52100 9_2_00F52100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_0100F280 9_2_0100F280
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FC0350 9_2_00FC0350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F1035F 9_2_00F1035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F225FE 9_2_00F225FE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00EFF570 9_2_00EFF570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F247AD 9_2_00F247AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F0C950 9_2_00F0C950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F0A918 9_2_00F0A918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F1DA74 9_2_00F1DA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_01015A40 9_2_01015A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F60BA0 9_2_00F60BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FB4B90 9_2_00FB4B90
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_01014AE0 9_2_01014AE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F71E40 9_2_00F71E40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F28E20 9_2_00F28E20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FBBFC0 9_2_00FBBFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FBCFC0 9_2_00FBCFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FC8080 10_2_00FC8080
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F1001D 10_2_00F1001D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F661D0 10_2_00F661D0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FAD2B0 10_2_00FAD2B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FAC3E0 10_2_00FAC3E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FAB7E0 10_2_00FAB7E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F4F730 10_2_00F4F730
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00EDB8E0 10_2_00EDB8E0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FA49B0 10_2_00FA49B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_0100C8D0 10_2_0100C8D0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F68A80 10_2_00F68A80
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F61A60 10_2_00F61A60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F6CBF0 10_2_00F6CBF0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F77D20 10_2_00F77D20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F63ED0 10_2_00F63ED0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F6AEC0 10_2_00F6AEC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F5DF60 10_2_00F5DF60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_01013160 10_2_01013160
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F07190 10_2_00F07190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_010140A0 10_2_010140A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_010020C0 10_2_010020C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F71130 10_2_00F71130
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F52100 10_2_00F52100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_0100F280 10_2_0100F280
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FC0350 10_2_00FC0350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F1035F 10_2_00F1035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F225FE 10_2_00F225FE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00EFF570 10_2_00EFF570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F247AD 10_2_00F247AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F0C950 10_2_00F0C950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F0A918 10_2_00F0A918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F1DA74 10_2_00F1DA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_01015A40 10_2_01015A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F28BA0 10_2_00F28BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F60BA0 10_2_00F60BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FB4B90 10_2_00FB4B90
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_01014AE0 10_2_01014AE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F71E40 10_2_00F71E40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F28E20 10_2_00F28E20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FBBFC0 10_2_00FBBFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FBCFC0 10_2_00FBCFC0
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00464370 appears 48 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00EEACE0 appears 172 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: String function: 00F04370 appears 58 times
Sample file is different than original file name gathered from version info
Source: vEaFCBsRb7.exe Binary or memory string: OriginalFilename vs vEaFCBsRb7.exe
Source: vEaFCBsRb7.exe, 00000000.00000000.1977311784.000000000061E000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs vEaFCBsRb7.exe
Source: vEaFCBsRb7.exe, 00000000.00000003.2010684178.0000000007750000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs vEaFCBsRb7.exe
Source: vEaFCBsRb7.exe, 00000000.00000002.3231918481.00000000001CF000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs vEaFCBsRb7.exe
Source: vEaFCBsRb7.exe, 00000000.00000002.3242207759.0000000005328000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs vEaFCBsRb7.exe
Source: vEaFCBsRb7.exe, 00000000.00000002.3234260277.000000000061E000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs vEaFCBsRb7.exe
Source: vEaFCBsRb7.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs vEaFCBsRb7.exe
Uses 32bit PE files
Source: vEaFCBsRb7.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/49@2/3
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FAD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 9_2_00FAD2B0
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: vEaFCBsRb7.exe, 00000000.00000002.3231385899.0000000000041000.00000040.00000001.01000000.00000003.sdmp, vEaFCBsRb7.exe, 00000000.00000003.1983935215.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3231393001.0000000000431000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2036916147.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3231395822.0000000000431000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2038042758.00000000051E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3124049233.0000000000ED1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.2177106825.0000000005580000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2268284285.00000000057E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3116069122.0000000000ED1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: vEaFCBsRb7.exe, 00000000.00000002.3231385899.0000000000041000.00000040.00000001.01000000.00000003.sdmp, vEaFCBsRb7.exe, 00000000.00000003.1983935215.0000000005320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3231393001.0000000000431000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2036916147.0000000004D50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3231395822.0000000000431000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2038042758.00000000051E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3124049233.0000000000ED1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000003.2177106825.0000000005580000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2268284285.00000000057E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3116069122.0000000000ED1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RageMP131.exe, 00000009.00000003.2752959894.0000000008491000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2920803867.00000000084F2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2750221108.00000000084B6000.00000004.00000020.00020000.00000000.sdmp, BmhpfoNy8YmSLogin Data.10.dr, Die7kmMhYngyLogin Data.9.dr, _qCL0JtTyq9oLogin Data.10.dr, kFLp2LBoLZ1YLogin Data For Account.10.dr, KhFfu9rziPxtLogin Data.9.dr, 7o2fjpb2aImdLogin Data For Account.9.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: vEaFCBsRb7.exe ReversingLabs: Detection: 52%
Source: vEaFCBsRb7.exe Virustotal: Detection: 51%
Source: vEaFCBsRb7.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: vEaFCBsRb7.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe File read: C:\Users\user\Desktop\vEaFCBsRb7.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vEaFCBsRb7.exe "C:\Users\user\Desktop\vEaFCBsRb7.exe"
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: vEaFCBsRb7.exe Static file information: File size 2418176 > 1048576
Source: vEaFCBsRb7.exe Static PE information: Raw size of zwcrheqk is bigger than: 0x100000 < 0x19f600

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Unpacked PE file: 0.2.vEaFCBsRb7.exe.40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 9.2.RageMP131.exe.ed0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 10.2.RageMP131.exe.ed0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zwcrheqk:EW;ynzgfcsr:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: vEaFCBsRb7.exe Static PE information: real checksum: 0x254ab5 should be: 0x254691
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x254ab5 should be: 0x254691
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x254ab5 should be: 0x254691
PE file contains sections with non-standard names
Source: vEaFCBsRb7.exe Static PE information: section name:
Source: vEaFCBsRb7.exe Static PE information: section name: .idata
Source: vEaFCBsRb7.exe Static PE information: section name:
Source: vEaFCBsRb7.exe Static PE information: section name: zwcrheqk
Source: vEaFCBsRb7.exe Static PE information: section name: ynzgfcsr
Source: vEaFCBsRb7.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: zwcrheqk
Source: RageMP131.exe.0.dr Static PE information: section name: ynzgfcsr
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: zwcrheqk
Source: MPGPH131.exe.0.dr Static PE information: section name: ynzgfcsr
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_00073F49 push ecx; ret 0_2_00073F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463F49 push ecx; ret 6_2_00463F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00463F49 push ecx; ret 7_2_00463F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F03F49 push ecx; ret 9_2_00F03F5C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F03F49 push ecx; ret 10_2_00F03F5C
Source: vEaFCBsRb7.exe Static PE information: section name: entropy: 7.9242587137381815
Source: vEaFCBsRb7.exe Static PE information: section name: zwcrheqk entropy: 7.91140248368453
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.9242587137381815
Source: RageMP131.exe.0.dr Static PE information: section name: zwcrheqk entropy: 7.91140248368453
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.9242587137381815
Source: MPGPH131.exe.0.dr Static PE information: section name: zwcrheqk entropy: 7.91140248368453
Drops PE files
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 358885 second address: 3588A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007FB48CB50B72h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3588A0 second address: 3588CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CC6F1F5h 0x00000007 jmp 00007FB48CC6F1EDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3588CB second address: 3588FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB48CB50B66h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d jne 00007FB48CB50B80h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3588FF second address: 358903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 358903 second address: 358917 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FB48CB50B6Eh 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007FB48CB50B66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 358917 second address: 35891D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35891D second address: 35892D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CB50B6Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3578D4 second address: 3578E2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB48CC6F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3578E2 second address: 3578E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3578E6 second address: 3578EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3578EE second address: 3578FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB48CB50B66h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3578FA second address: 35790E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007FB48CC6F1E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007FB48CC6F1ECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35790E second address: 357931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 jmp 00007FB48CB50B74h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 357931 second address: 35793B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB48CC6F1E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35793B second address: 35795B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB48CB50B76h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 357ACB second address: 357AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB48CC6F1F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB48CC6F1F0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 357AFA second address: 357AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 357C44 second address: 357C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 357D97 second address: 357D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 357D9B second address: 357DA5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB48CC6F1EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 357F2C second address: 357F32 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 357F32 second address: 357F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 358076 second address: 358085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FB48CB50B66h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 358085 second address: 3580A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ecx 0x0000000e popad 0x0000000f jnp 00007FB48CC6F1F4h 0x00000015 jo 00007FB48CC6F1EEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35AA21 second address: 35AA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35AA25 second address: 35AA2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35AA2F second address: 35AA33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35AA33 second address: 35AAB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FB48CC6F1F6h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007FB48CC6F1EBh 0x00000017 pop eax 0x00000018 jmp 00007FB48CC6F1F2h 0x0000001d lea ebx, dword ptr [ebp+12456831h] 0x00000023 push 00000000h 0x00000025 push eax 0x00000026 call 00007FB48CC6F1E8h 0x0000002b pop eax 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc eax 0x00000039 push eax 0x0000003a ret 0x0000003b pop eax 0x0000003c ret 0x0000003d mov esi, 3FC09EB1h 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FB48CC6F1F7h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35AAB9 second address: 35AABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35AC95 second address: 35AC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35AC99 second address: 35ACB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CB50B73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35ACB0 second address: 35ACB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35ACB6 second address: 35ACBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35ACBA second address: 35ACE2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB48CC6F1E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jns 00007FB48CC6F1EEh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jbe 00007FB48CC6F1F0h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35ADCA second address: 35ADDE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB48CB50B6Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35ADDE second address: 35ADE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 35AECB second address: 35AED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A836 second address: 37A83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A83C second address: 37A86D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CB50B76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FB48CB50B73h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A86D second address: 37A88C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB48CC6F1F8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A88C second address: 37A8BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB48CB50B6Fh 0x00000010 push ebx 0x00000011 jmp 00007FB48CB50B71h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A8BA second address: 37A8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A8BF second address: 37A8C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34BEA2 second address: 34BEA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37870B second address: 37873E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CB50B76h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB48CB50B77h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 378B79 second address: 378B8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439AFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 378E26 second address: 378E2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 378E2C second address: 378E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB48CD439AEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 378E43 second address: 378E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 378E4D second address: 378E53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 378FD3 second address: 378FD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 378FD9 second address: 378FF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 378FF4 second address: 379017 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB48D1AA69Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379017 second address: 379021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB48CD439A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3793E4 second address: 3793ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3793ED second address: 379407 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB48CD439AFh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379407 second address: 379424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FB48D1AA692h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379424 second address: 379428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379428 second address: 37942C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379834 second address: 379841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jbe 00007FB48CD439A6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379841 second address: 379847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379847 second address: 37984B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37984B second address: 379863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379863 second address: 379867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379867 second address: 37988A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA690h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB48D1AA68Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3799FA second address: 379A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 379A00 second address: 379A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A0A4 second address: 37A0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FB48CD439B3h 0x0000000d jmp 00007FB48CD439B3h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 js 00007FB48CD439A6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A278 second address: 37A27E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37A6B9 second address: 37A6C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 37FD2C second address: 37FD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34D92E second address: 34D932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34D932 second address: 34D969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB48D1AA699h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007FB48D1AA691h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34D969 second address: 34D972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34D972 second address: 34D976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 382173 second address: 382189 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB48CD439ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 380A0D second address: 380A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 382390 second address: 382394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 382394 second address: 3823A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3823A4 second address: 3823AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB48CD439A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3823AE second address: 3823D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA699h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FB48D1AA688h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38256D second address: 38257B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38257B second address: 382580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 382580 second address: 382586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 386CAB second address: 386CAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38625D second address: 386261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 386261 second address: 38626F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB48D1AA686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38626F second address: 386273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 386273 second address: 386279 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 386279 second address: 38627F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38627F second address: 38628E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA68Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38628E second address: 3862A0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB48CD439A6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 386409 second address: 38641B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FB48D1AA688h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38641B second address: 386425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB48CD439A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 386566 second address: 38656A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 386AB3 second address: 386ABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB48CD439A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 386ABD second address: 386AC7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB48D1AA686h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 388EAD second address: 388EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3896DE second address: 3896F3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB48D1AA686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007FB48D1AA68Eh 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 389750 second address: 38975B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB48CD439A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 389850 second address: 389855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 389855 second address: 38986F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB48CD439ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007FB48CD439BCh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3899EF second address: 3899F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3899F3 second address: 3899F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3899F7 second address: 389A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 389A01 second address: 389A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38B167 second address: 38B16D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38D2D3 second address: 38D2EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FB48CD439A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 jl 00007FB48CD439A6h 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38D2EC second address: 38D301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA691h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38D301 second address: 38D351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov di, BC8Eh 0x0000000d push 00000000h 0x0000000f mov dword ptr [ebp+12482553h], esi 0x00000015 stc 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FB48CD439A8h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov edi, 089AEB5Ah 0x00000037 mov esi, 19049F98h 0x0000003c xchg eax, ebx 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 jnl 00007FB48CD439A6h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38D351 second address: 38D355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38D355 second address: 38D363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FB48CD439A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38D363 second address: 38D37D instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB48D1AA686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FB48D1AA68Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38F893 second address: 38F8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB48CD439B8h 0x0000000c je 00007FB48CD439A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38F8B8 second address: 38F8BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38FE6E second address: 38FE72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 390909 second address: 39094C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub edi, 179B7D69h 0x00000010 push 00000000h 0x00000012 sub dword ptr [ebp+12486FBFh], esi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FB48D1AA688h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39094C second address: 39095D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39095D second address: 390963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 390963 second address: 390967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 396039 second address: 396097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA696h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d mov eax, 2AB2AAA0h 0x00000012 popad 0x00000013 push 00000000h 0x00000015 mov di, ax 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007FB48D1AA688h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000014h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 or dword ptr [ebp+122D3587h], edi 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c jno 00007FB48D1AA688h 0x00000042 pop eax 0x00000043 push eax 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push ebx 0x00000048 pop ebx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 396097 second address: 39609B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 396202 second address: 396206 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3962E5 second address: 3962F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jl 00007FB48CD439A6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39946B second address: 39946F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39946F second address: 399480 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39A468 second address: 39A484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB48D1AA692h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39A5B0 second address: 39A5C2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FB48CD439A8h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39A5C2 second address: 39A5CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FB48D1AA686h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39A5CD second address: 39A66D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FB48CD439A8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov edi, ebx 0x00000024 push dword ptr fs:[00000000h] 0x0000002b sub ebx, dword ptr [ebp+122D317Eh] 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007FB48CD439A8h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 mov dword ptr [ebp+122D2C6Ch], ecx 0x00000058 mov eax, dword ptr [ebp+122D07D1h] 0x0000005e jmp 00007FB48CD439B1h 0x00000063 push FFFFFFFFh 0x00000065 push esi 0x00000066 jmp 00007FB48CD439B0h 0x0000006b pop ebx 0x0000006c jc 00007FB48CD439A7h 0x00000072 cmc 0x00000073 nop 0x00000074 push eax 0x00000075 push edx 0x00000076 push edi 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39A66D second address: 39A672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39A672 second address: 39A686 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jng 00007FB48CD439A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39A686 second address: 39A68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39A68B second address: 39A695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FB48CD439A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39E639 second address: 39E63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39D863 second address: 39D867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A0643 second address: 3A0648 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A1623 second address: 3A1629 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A1629 second address: 3A162D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A2634 second address: 3A2646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007FB48CD439ABh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39E917 second address: 39E91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A36E2 second address: 3A3704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jne 00007FB48CD439A6h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jp 00007FB48CD439A6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39E91B second address: 39E925 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB48D1AA686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 39E925 second address: 39E93D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48CD439B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A2896 second address: 3A289A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A289A second address: 3A28C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jp 00007FB48CD439A6h 0x00000014 jmp 00007FB48CD439AFh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A3911 second address: 3A392D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA698h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A39F6 second address: 3A3A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB48CD439B4h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A3A14 second address: 3A3A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A5718 second address: 3A571E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3A49EB second address: 3A49F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3AD6EB second address: 3AD6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3ACFF3 second address: 3AD00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB48D1AA693h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3AD00D second address: 3AD01B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB48CD439A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3AFC0F second address: 3AFC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3AFC15 second address: 3AFC1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3AFC1B second address: 3AFC34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FB48D1AA68Eh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34F3A3 second address: 34F3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jl 00007FB48CD439AEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34F3B6 second address: 34F3FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FB48D1AA68Ch 0x00000011 pushad 0x00000012 jng 00007FB48D1AA686h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FB48D1AA698h 0x0000001f jo 00007FB48D1AA686h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34F3FC second address: 34F429 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB48CD439B5h 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FB48CD439A6h 0x00000011 jmp 00007FB48CD439ACh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34F429 second address: 34F433 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB48D1AA686h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B1D94 second address: 3B1DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB48CD439A6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FB48CD439B6h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 jmp 00007FB48CD439B6h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B1DD6 second address: 3B1DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B1DDA second address: 3B1DFC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB48CD439A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 jmp 00007FB48CD439AFh 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B1DFC second address: 3B1E22 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB48D1AA690h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d jmp 00007FB48D1AA68Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B1E22 second address: 3B1E3A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB48CD439A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FB48CD439A6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B1E3A second address: 3B1E3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B1ED3 second address: 3B1F42 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FB48CD439B7h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007FB48CD439B4h 0x00000016 mov eax, dword ptr [eax] 0x00000018 jnl 00007FB48CD439B6h 0x0000001e jmp 00007FB48CD439B0h 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push ebx 0x0000002a jmp 00007FB48CD439B8h 0x0000002f pop ebx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B210F second address: 3B2113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 34F3B2 second address: 34F3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B96B7 second address: 3B96E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB48D1AA686h 0x00000008 jmp 00007FB48D1AA698h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pop edx 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B96E3 second address: 3B96E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B96E9 second address: 3B96ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B9AB7 second address: 3B9AC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B9AC3 second address: 3B9AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B9AC7 second address: 3B9AD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439AAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B9D61 second address: 3B9D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3B9D67 second address: 3B9D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C0783 second address: 3C0787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C0787 second address: 3C07B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d jp 00007FB48CD439A6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b jmp 00007FB48CD439B3h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3BF19D second address: 3BF1C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FB48D1AA686h 0x0000000f jmp 00007FB48D1AA68Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3BF1C1 second address: 3BF1C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3BF92E second address: 3BF932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3BF932 second address: 3BF94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB48CD439AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3BFD9A second address: 3BFDA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3BFDA0 second address: 3BFDA6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3BFEF7 second address: 3BFEFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 36EFC1 second address: 36EFD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB48CD439A6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 346F3B second address: 346F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB48D1AA695h 0x00000008 jns 00007FB48D1AA686h 0x0000000e jne 00007FB48D1AA686h 0x00000014 popad 0x00000015 pushad 0x00000016 js 00007FB48D1AA686h 0x0000001c push eax 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3BEE9E second address: 3BEEA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C5A56 second address: 3C5A5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C5A5A second address: 3C5A8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B4h 0x00000007 jp 00007FB48CD439A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 jg 00007FB48CD439AEh 0x00000017 jp 00007FB48CD439A6h 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 387B7C second address: 387B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA692h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 387B92 second address: 387B96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 387D3E second address: 387D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 387D42 second address: 387D48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 387E72 second address: 387E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 387E78 second address: 387E94 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB48CD439A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB48CD439ACh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3883D0 second address: 3883D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3883D4 second address: 3883FD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB48CD439A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FB48CD439B3h 0x0000000f popad 0x00000010 push eax 0x00000011 jo 00007FB48CD439B0h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 388525 second address: 388549 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA699h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3886F6 second address: 388700 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB48CD439ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 388700 second address: 38870C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 38870C second address: 388738 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jnl 00007FB48CD439A6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C4EB5 second address: 3C4EC1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB48D1AA68Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C4EC1 second address: 3C4EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FB48CD439EBh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB48CD439B1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C4EE0 second address: 3C4EFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FB48D1AA686h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C4EFF second address: 3C4F03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C506A second address: 3C507C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C507C second address: 3C5096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB48CD439B5h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C5325 second address: 3C532D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C532D second address: 3C538B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FB48CD439B3h 0x0000000f jmp 00007FB48CD439AAh 0x00000014 jmp 00007FB48CD439AFh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB48CD439B3h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C538B second address: 3C5395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FB48D1AA686h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C54B3 second address: 3C54BD instructions: 0x00000000 rdtsc 0x00000002 je 00007FB48CD439A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C54BD second address: 3C54C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3C7175 second address: 3C717A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CC789 second address: 3CC78D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB630 second address: 3CB655 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB48CD439A6h 0x00000008 jmp 00007FB48CD439AEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB48CD439ABh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB655 second address: 3CB673 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA698h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB673 second address: 3CB67D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FB48CD439A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB67D second address: 3CB681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CBAEC second address: 3CBB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB48CD439B6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CBB06 second address: 3CBB0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CBB0A second address: 3CBB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CBB10 second address: 3CBB3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FB48D1AA6A1h 0x0000000c jne 00007FB48D1AA686h 0x00000012 jmp 00007FB48D1AA695h 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB061 second address: 3CB066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB066 second address: 3CB072 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB48D1AA68Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB072 second address: 3CB086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jmp 00007FB48CD439ABh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB086 second address: 3CB094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB094 second address: 3CB0BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FB48CD439ABh 0x0000000b jmp 00007FB48CD439B5h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB0BB second address: 3CB0CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA68Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CB0CA second address: 3CB0CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CBEAB second address: 3CBEBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007FB48D1AA688h 0x0000000b push esi 0x0000000c pop esi 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CBEBB second address: 3CBED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB48CD439AEh 0x00000009 pop edi 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CBED1 second address: 3CBED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CC07B second address: 3CC081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CC1C4 second address: 3CC1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CF1DD second address: 3CF1E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3CF1E3 second address: 3CF1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FB48D1AA68Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3D6889 second address: 3D6894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3D6894 second address: 3D689E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB48D1AA686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3D65C1 second address: 3D65CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB48CD439A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3D65CB second address: 3D65D5 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB48D1AA686h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3D8CED second address: 3D8CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3DEE68 second address: 3DEE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnc 00007FB48D1AA686h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3DF415 second address: 3DF41C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3DF53F second address: 3DF55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB48D1AA686h 0x0000000a jmp 00007FB48D1AA691h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3DF55B second address: 3DF573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48CD439B2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3DF573 second address: 3DF577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E2AC0 second address: 3E2ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB48CD439A6h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E2ACB second address: 3E2B03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Ch 0x00000007 js 00007FB48D1AA68Ch 0x0000000d js 00007FB48D1AA686h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jp 00007FB48D1AA688h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB48D1AA691h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E241D second address: 3E2488 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB48CD439ADh 0x00000008 jnl 00007FB48CD439A6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FB48CD439B5h 0x0000001b jmp 00007FB48CD439B7h 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FB48CD439B8h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E2488 second address: 3E2490 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E2490 second address: 3E2496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E2496 second address: 3E249C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E2783 second address: 3E27C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B7h 0x00000007 jnc 00007FB48CD439A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB48CD439B8h 0x00000014 pop edx 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 pop eax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E89D9 second address: 3E89DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E7E07 second address: 3E7E0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E7E0D second address: 3E7E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA68Ah 0x00000009 jmp 00007FB48D1AA695h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3E86BC second address: 3E86C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE1D3 second address: 3EE207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB48D1AA693h 0x00000009 jmp 00007FB48D1AA699h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE207 second address: 3EE20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE552 second address: 3EE556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE816 second address: 3EE838 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB48CD439A8h 0x00000008 jng 00007FB48CD439A8h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnp 00007FB48CD439A8h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE838 second address: 3EE83C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE83C second address: 3EE846 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB48CD439A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE9DB second address: 3EE9E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE9E1 second address: 3EE9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jns 00007FB48CD439A6h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE9EE second address: 3EE9F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE9F3 second address: 3EE9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EE9FB second address: 3EEA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 3EEE51 second address: 3EEE55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 405735 second address: 405739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 405739 second address: 40573F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 40573F second address: 40576C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB48D1AA69Bh 0x00000008 jmp 00007FB48D1AA695h 0x0000000d push ebx 0x0000000e jno 00007FB48D1AA686h 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 40576C second address: 40579B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jmp 00007FB48CD439ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB48CD439B6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 40527D second address: 405281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 405281 second address: 405296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 407B51 second address: 407B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB48D1AA686h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 407B5E second address: 407B7B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB48CD439ACh 0x00000008 jnc 00007FB48CD439A6h 0x0000000e pushad 0x0000000f jne 00007FB48CD439A6h 0x00000015 jg 00007FB48CD439A6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 407B7B second address: 407B9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jnc 00007FB48D1AA688h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB48D1AA68Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 415736 second address: 41573C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 41573C second address: 415742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 415742 second address: 415792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB48CD439AFh 0x00000009 popad 0x0000000a jmp 00007FB48CD439B8h 0x0000000f pushad 0x00000010 jg 00007FB48CD439ACh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB48CD439B5h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 415792 second address: 41579D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 432D16 second address: 432D40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B1h 0x00000007 jmp 00007FB48CD439B5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 441FEC second address: 441FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB48D1AA68Ah 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 441FFF second address: 44201A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a jbe 00007FB48CD439A6h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 jng 00007FB48CD439ACh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 44201A second address: 44201E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 441E82 second address: 441E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 441E88 second address: 441EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007FB48D1AA68Ah 0x0000000b push edx 0x0000000c pop edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007FB48D1AA686h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 4443A8 second address: 4443BB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB48CD439ADh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 445FAB second address: 445FBD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB48D1AA686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007FB48D1AA688h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 445FBD second address: 445FC4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 4705FB second address: 470605 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB48D1AA686h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 470605 second address: 470619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB48CD439A6h 0x0000000e jnl 00007FB48CD439A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 470619 second address: 470621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 470621 second address: 47065F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB48CD439B1h 0x00000008 pop edx 0x00000009 ja 00007FB48CD439BEh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jl 00007FB48CD439B0h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 47463A second address: 474662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA699h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007FB48D1AA686h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 474662 second address: 474666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 4746F7 second address: 47470F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA694h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 47495B second address: 47495F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 47495F second address: 474986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 pushad 0x00000009 mov esi, ebx 0x0000000b mov edx, dword ptr [ebp+122D17EAh] 0x00000011 popad 0x00000012 push 00000004h 0x00000014 mov edx, 3AB3B311h 0x00000019 call 00007FB48D1AA689h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 pop eax 0x00000023 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 474986 second address: 474993 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB48CD439A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 474993 second address: 4749A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 4749A4 second address: 4749BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB48CD439A6h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007FB48CD439A8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 4749BE second address: 4749D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA68Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 4749D0 second address: 4749E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB48CD439AAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 4749E7 second address: 474A24 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB48D1AA686h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007FB48D1AA692h 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 jnl 00007FB48D1AA68Ch 0x0000001c pushad 0x0000001d jmp 00007FB48D1AA68Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 475FB8 second address: 475FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 475FBC second address: 475FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB48D1AA686h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 477EB1 second address: 477EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53F073C second address: 53F0785 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB48D1AA694h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FB48D1AA690h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FB48D1AA697h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53F0785 second address: 53F07AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2822506Ah 0x00000008 movsx edx, si 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB48CD439B4h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53F07AC second address: 53F07BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C0168 second address: 53C01A5 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 2A14h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push esi 0x0000000a pushad 0x0000000b push edx 0x0000000c mov di, ax 0x0000000f pop ecx 0x00000010 popad 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 pop edx 0x00000019 pushfd 0x0000001a jmp 00007FB48CD439B0h 0x0000001f xor esi, 58F23CF8h 0x00000025 jmp 00007FB48CD439ABh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0E11 second address: 53B0E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0E15 second address: 53B0E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0E1B second address: 53B0E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA693h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0E32 second address: 53B0E36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0E36 second address: 53B0E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov si, FC51h 0x0000000e mov si, 0C8Dh 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007FB48D1AA698h 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FB48D1AA68Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0E72 second address: 53B0E81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0E81 second address: 53B0E88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0E88 second address: 53B0EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [ebp+04h] 0x0000000a pushad 0x0000000b mov dl, 50h 0x0000000d call 00007FB48CD439B6h 0x00000012 pop ebx 0x00000013 popad 0x00000014 push dword ptr [ebp+0Ch] 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a movzx esi, dx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0EB6 second address: 53B0EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0EBA second address: 53B0EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FB48CD439ABh 0x0000000c xor esi, 60C5555Eh 0x00000012 jmp 00007FB48CD439B9h 0x00000017 popfd 0x00000018 popad 0x00000019 push dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0EF6 second address: 53B0EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0EFA second address: 53B0F0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53B0F0D second address: 53B0F13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420DA8 second address: 5420DAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420DAE second address: 5420DB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420DB4 second address: 5420E01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FB48CD439B2h 0x00000010 and esi, 6845CDF8h 0x00000016 jmp 00007FB48CD439ABh 0x0000001b popfd 0x0000001c movzx ecx, dx 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007FB48CD439B2h 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420E01 second address: 5420E1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA699h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420E1E second address: 5420E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48CD439ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400BD7 second address: 5400BDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400BDB second address: 5400BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400BE1 second address: 5400BE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54503C4 second address: 54503C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54503C9 second address: 5450465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FB48D1AA691h 0x0000000a xor esi, 7AC28B36h 0x00000010 jmp 00007FB48D1AA691h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b push eax 0x0000001c mov bx, 13BEh 0x00000020 pop edx 0x00000021 pushfd 0x00000022 jmp 00007FB48D1AA694h 0x00000027 or esi, 35E39188h 0x0000002d jmp 00007FB48D1AA68Bh 0x00000032 popfd 0x00000033 popad 0x00000034 push eax 0x00000035 pushad 0x00000036 mov si, dx 0x00000039 pushfd 0x0000003a jmp 00007FB48D1AA68Bh 0x0000003f xor ax, 35CEh 0x00000044 jmp 00007FB48D1AA699h 0x00000049 popfd 0x0000004a popad 0x0000004b xchg eax, ebp 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f movsx edi, si 0x00000052 mov edi, eax 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5450465 second address: 545048F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB48CD439B7h 0x00000008 pop esi 0x00000009 mov eax, edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cl, 46h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 545048F second address: 5450498 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, AB31h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5430EBE second address: 5430ECD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5430ECD second address: 5430EFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA699h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB48D1AA68Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5430EFA second address: 5430F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5430F00 second address: 5430F1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA693h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5430F1F second address: 5430F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FB48CD439B0h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C07E4 second address: 53C07F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA68Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C07F4 second address: 53C07F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C07F8 second address: 53C0823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FB48D1AA699h 0x00000011 mov eax, 0FC88FD7h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C0823 second address: 53C083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48CD439B8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420EA5 second address: 5420EBF instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB48D1AA68Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420EBF second address: 5420ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48CD439B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54305A5 second address: 54305AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54305AB second address: 54305AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54305AF second address: 54305D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB48D1AA696h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54305D5 second address: 54305D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54305D9 second address: 54305F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA699h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400A50 second address: 5400AA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB48CD439B1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FB48CD439B6h 0x00000019 or ax, E548h 0x0000001e jmp 00007FB48CD439ABh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400AA4 second address: 5400B06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB48D1AA68Fh 0x00000009 add ah, FFFFFF8Eh 0x0000000c jmp 00007FB48D1AA699h 0x00000011 popfd 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b call 00007FB48D1AA699h 0x00000020 movzx eax, dx 0x00000023 pop edx 0x00000024 call 00007FB48D1AA68Ah 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400B06 second address: 5400B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pop ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400B13 second address: 5400B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400B17 second address: 5400B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400B1B second address: 5400B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440156 second address: 5440165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440165 second address: 544018E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB48D1AA68Fh 0x00000009 jmp 00007FB48D1AA693h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 544018E second address: 54401F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FB48CD439B4h 0x0000000d push eax 0x0000000e jmp 00007FB48CD439ABh 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov ecx, edi 0x00000019 pushfd 0x0000001a jmp 00007FB48CD439B7h 0x0000001f sbb esi, 602ADB8Eh 0x00000025 jmp 00007FB48CD439B9h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54401F5 second address: 5440208 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov si, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440208 second address: 544020C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 544020C second address: 5440212 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440212 second address: 5440241 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB48CD439B5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53E0921 second address: 53E0935 instructions: 0x00000000 rdtsc 0x00000002 mov ah, 69h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e mov esi, 34F348C1h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53E0935 second address: 53E099B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB48CD439ADh 0x00000008 push esi 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FB48CD439B8h 0x00000016 jmp 00007FB48CD439B5h 0x0000001b popfd 0x0000001c mov dx, si 0x0000001f popad 0x00000020 pop ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 call 00007FB48CD439B6h 0x00000029 pop esi 0x0000002a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440D5F second address: 5440D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440D63 second address: 5440D83 instructions: 0x00000000 rdtsc 0x00000002 mov ch, F6h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 mov dl, 0Dh 0x00000009 mov bx, ax 0x0000000c popad 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB48CD439AFh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440D83 second address: 5440D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440D89 second address: 5440D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440D8D second address: 5440E18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e mov ebx, 10936748h 0x00000013 mov bx, AFF4h 0x00000017 popad 0x00000018 push edi 0x00000019 call 00007FB48D1AA698h 0x0000001e pop esi 0x0000001f pop edi 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007FB48D1AA68Eh 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a mov cx, A66Dh 0x0000002e mov eax, 08D43C69h 0x00000033 popad 0x00000034 xchg eax, ecx 0x00000035 pushad 0x00000036 call 00007FB48D1AA691h 0x0000003b mov si, B277h 0x0000003f pop eax 0x00000040 popad 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FB48D1AA699h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440E18 second address: 5440E1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440E1E second address: 5440E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440E22 second address: 5440E3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB48CD439B2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440E3F second address: 5440EBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [76FA65FCh] 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB48D1AA690h 0x00000015 sub ah, 00000058h 0x00000018 jmp 00007FB48D1AA68Bh 0x0000001d popfd 0x0000001e popad 0x0000001f test eax, eax 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FB48D1AA694h 0x00000028 adc si, 20B8h 0x0000002d jmp 00007FB48D1AA68Bh 0x00000032 popfd 0x00000033 mov edi, esi 0x00000035 popad 0x00000036 je 00007FB4FEC8D14Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FB48D1AA691h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440EBA second address: 5440EC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440EC0 second address: 5440EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440EC4 second address: 5440EF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a jmp 00007FB48CD439AFh 0x0000000f xor eax, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov si, 65B7h 0x00000019 call 00007FB48CD439ACh 0x0000001e pop ecx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440EF5 second address: 5440EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540002C second address: 5400032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400032 second address: 5400036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400036 second address: 540003A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540003A second address: 5400052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB48D1AA68Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400052 second address: 5400058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400058 second address: 540005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540005C second address: 54000C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FB48CD439AFh 0x0000000e mov ebp, esp 0x00000010 jmp 00007FB48CD439B6h 0x00000015 and esp, FFFFFFF8h 0x00000018 pushad 0x00000019 push esi 0x0000001a pushfd 0x0000001b jmp 00007FB48CD439ADh 0x00000020 xor eax, 5B593B96h 0x00000026 jmp 00007FB48CD439B1h 0x0000002b popfd 0x0000002c pop ecx 0x0000002d mov edx, 7C95F534h 0x00000032 popad 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54000C2 second address: 540012E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ax, 2FEFh 0x0000000d popad 0x0000000e mov dword ptr [esp], ecx 0x00000011 jmp 00007FB48D1AA692h 0x00000016 xchg eax, ebx 0x00000017 jmp 00007FB48D1AA690h 0x0000001c push eax 0x0000001d jmp 00007FB48D1AA68Bh 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 movzx esi, dx 0x00000027 mov ebx, 0164C424h 0x0000002c popad 0x0000002d mov ebx, dword ptr [ebp+10h] 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FB48D1AA696h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540012E second address: 540016F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FB48CD439B6h 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB48CD439B7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540016F second address: 5400173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400173 second address: 540021B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB48CD439B6h 0x0000000b popad 0x0000000c xchg eax, esi 0x0000000d pushad 0x0000000e push eax 0x0000000f call 00007FB48CD439ADh 0x00000014 pop eax 0x00000015 pop edi 0x00000016 mov dh, ah 0x00000018 popad 0x00000019 mov esi, dword ptr [ebp+08h] 0x0000001c jmp 00007FB48CD439B9h 0x00000021 xchg eax, edi 0x00000022 pushad 0x00000023 push ecx 0x00000024 call 00007FB48CD439B3h 0x00000029 pop ecx 0x0000002a pop ebx 0x0000002b call 00007FB48CD439B6h 0x00000030 pushfd 0x00000031 jmp 00007FB48CD439B2h 0x00000036 and ax, C118h 0x0000003b jmp 00007FB48CD439ABh 0x00000040 popfd 0x00000041 pop esi 0x00000042 popad 0x00000043 push eax 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540021B second address: 540021F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540021F second address: 5400223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400223 second address: 540025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, dx 0x00000009 popad 0x0000000a xchg eax, edi 0x0000000b pushad 0x0000000c movsx ebx, ax 0x0000000f mov ah, 83h 0x00000011 popad 0x00000012 test esi, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 call 00007FB48D1AA694h 0x0000001c pop ecx 0x0000001d call 00007FB48D1AA68Bh 0x00000022 pop eax 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540025C second address: 5400275 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48CD439B5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400275 second address: 54002E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA691h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FB4FECC8A0Fh 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FB48D1AA68Ch 0x00000018 or ax, 8A98h 0x0000001d jmp 00007FB48D1AA68Bh 0x00000022 popfd 0x00000023 movzx eax, di 0x00000026 popad 0x00000027 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002e jmp 00007FB48D1AA68Bh 0x00000033 je 00007FB4FECC89EAh 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB48D1AA692h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54002E2 second address: 5400334 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FB48CD439B2h 0x0000000f jmp 00007FB48CD439B5h 0x00000014 popfd 0x00000015 popad 0x00000016 mov edx, dword ptr [esi+44h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB48CD439ADh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400334 second address: 5400344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA68Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400344 second address: 540035B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB48CD439AAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 540035B second address: 54003A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f jmp 00007FB48D1AA696h 0x00000014 jne 00007FB4FECC8988h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FB48D1AA697h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54003A5 second address: 54003E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov al, bh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [esi+48h], 00000001h 0x0000000f jmp 00007FB48CD439AAh 0x00000014 jne 00007FB4FE861C89h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edi 0x0000001e pop ecx 0x0000001f call 00007FB48CD439B9h 0x00000024 pop eax 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420178 second address: 5420194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA698h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420194 second address: 542019A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 542019A second address: 54201DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007FB48D1AA68Ch 0x00000012 mov cx, 8CD1h 0x00000016 pop esi 0x00000017 pushad 0x00000018 mov dx, E610h 0x0000001c mov edx, 77CB533Ch 0x00000021 popad 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB48D1AA68Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54201DE second address: 54201F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 push ebx 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54201F2 second address: 54201F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54201F6 second address: 54201FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54201FC second address: 542027E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA693h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FB48D1AA696h 0x0000000f push eax 0x00000010 jmp 00007FB48D1AA68Bh 0x00000015 xchg eax, ebx 0x00000016 jmp 00007FB48D1AA696h 0x0000001b xchg eax, esi 0x0000001c jmp 00007FB48D1AA690h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov edi, esi 0x00000027 call 00007FB48D1AA698h 0x0000002c pop eax 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 542027E second address: 54202B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB48CD439AEh 0x00000009 xor ah, 00000038h 0x0000000c jmp 00007FB48CD439ABh 0x00000011 popfd 0x00000012 movzx esi, di 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB48CD439AEh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54202B6 second address: 542032B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB48D1AA691h 0x00000009 jmp 00007FB48D1AA68Bh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FB48D1AA698h 0x00000015 xor ecx, 56BD3A28h 0x0000001b jmp 00007FB48D1AA68Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov esi, dword ptr [ebp+08h] 0x00000027 jmp 00007FB48D1AA696h 0x0000002c sub ebx, ebx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov eax, 1E52A859h 0x00000036 mov edi, esi 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 542032B second address: 5420331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420331 second address: 5420360 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FB48D1AA693h 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420360 second address: 542040D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FB4FE8399BEh 0x0000000f jmp 00007FB48CD439B0h 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c call 00007FB48CD439AEh 0x00000021 pushad 0x00000022 popad 0x00000023 pop ecx 0x00000024 mov bh, 78h 0x00000026 popad 0x00000027 mov ecx, esi 0x00000029 pushad 0x0000002a call 00007FB48CD439B6h 0x0000002f call 00007FB48CD439B2h 0x00000034 pop ecx 0x00000035 pop ebx 0x00000036 mov esi, 5A33E967h 0x0000003b popad 0x0000003c je 00007FB4FE83996Eh 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 pushfd 0x00000046 jmp 00007FB48CD439B6h 0x0000004b adc ecx, 7F558AC8h 0x00000051 jmp 00007FB48CD439ABh 0x00000056 popfd 0x00000057 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 542040D second address: 5420411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420411 second address: 54204AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test byte ptr [76FA6968h], 00000002h 0x0000000e pushad 0x0000000f mov bx, B9A4h 0x00000013 call 00007FB48CD439ADh 0x00000018 jmp 00007FB48CD439B0h 0x0000001d pop ecx 0x0000001e popad 0x0000001f jne 00007FB4FE839919h 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FB48CD439B7h 0x0000002c or si, 671Eh 0x00000031 jmp 00007FB48CD439B9h 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007FB48CD439B0h 0x0000003d add eax, 395CD518h 0x00000043 jmp 00007FB48CD439ABh 0x00000048 popfd 0x00000049 popad 0x0000004a mov edx, dword ptr [ebp+0Ch] 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 mov di, si 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54204AF second address: 54204B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54204B5 second address: 54204B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54204B9 second address: 54204BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54204BD second address: 542051B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx eax, dx 0x0000000d call 00007FB48CD439B9h 0x00000012 pop edx 0x00000013 popad 0x00000014 mov dword ptr [esp], ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov bx, C8FAh 0x0000001e pushfd 0x0000001f jmp 00007FB48CD439ABh 0x00000024 or si, 1C9Eh 0x00000029 jmp 00007FB48CD439B9h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 542051B second address: 54205AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 0C560CB2h 0x00000008 mov si, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 movzx esi, bx 0x00000013 pushfd 0x00000014 jmp 00007FB48D1AA68Dh 0x00000019 sub ah, FFFFFF86h 0x0000001c jmp 00007FB48D1AA691h 0x00000021 popfd 0x00000022 popad 0x00000023 mov dword ptr [esp], ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FB48D1AA693h 0x0000002f or ch, FFFFFFBEh 0x00000032 jmp 00007FB48D1AA699h 0x00000037 popfd 0x00000038 pushfd 0x00000039 jmp 00007FB48D1AA690h 0x0000003e adc ch, FFFFFFB8h 0x00000041 jmp 00007FB48D1AA68Bh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54205AA second address: 54205AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54205AF second address: 54205D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+14h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB48D1AA693h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54205D1 second address: 54205E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FB48CD439AFh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54205E6 second address: 54205F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [ebp+10h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov dh, 9Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420631 second address: 5420637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5420637 second address: 542063B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 542063B second address: 54206B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jmp 00007FB48CD439B6h 0x00000011 pop ebx 0x00000012 jmp 00007FB48CD439B0h 0x00000017 mov esp, ebp 0x00000019 pushad 0x0000001a mov ax, 769Dh 0x0000001e pushfd 0x0000001f jmp 00007FB48CD439AAh 0x00000024 or si, 5BF8h 0x00000029 jmp 00007FB48CD439ABh 0x0000002e popfd 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FB48CD439B5h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54206B0 second address: 54206B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400F3E second address: 5400F44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54719D4 second address: 54719E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA68Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5471A7D second address: 5471A83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5471A83 second address: 5471AA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB48D1AA68Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5471AA4 second address: 5471AAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5471AAA second address: 54719D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call ebx 0x00000012 mov edi, edi 0x00000014 jmp 00007FB48D1AA699h 0x00000019 xchg eax, ebp 0x0000001a pushad 0x0000001b call 00007FB48D1AA68Ch 0x00000020 mov di, cx 0x00000023 pop esi 0x00000024 pushfd 0x00000025 jmp 00007FB48D1AA697h 0x0000002a or ah, 0000001Eh 0x0000002d jmp 00007FB48D1AA699h 0x00000032 popfd 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FB48D1AA68Ch 0x0000003c rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C03FB second address: 53C0451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB48CD439AFh 0x00000009 sub si, 015Eh 0x0000000e jmp 00007FB48CD439B9h 0x00000013 popfd 0x00000014 mov di, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007FB48CD439AAh 0x00000020 push eax 0x00000021 jmp 00007FB48CD439ABh 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C0451 second address: 53C0455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C0455 second address: 53C0470 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C0470 second address: 53C04CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FB48D1AA693h 0x00000011 mov ecx, 0EE135CFh 0x00000016 popad 0x00000017 xchg eax, ecx 0x00000018 jmp 00007FB48D1AA692h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FB48D1AA68Ch 0x00000027 add si, 63A8h 0x0000002c jmp 00007FB48D1AA68Bh 0x00000031 popfd 0x00000032 push esi 0x00000033 pop ebx 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C04CD second address: 53C04DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bh, B8h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C04DD second address: 53C04E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C04E2 second address: 53C04F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48CD439AAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C05BF second address: 53C05D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA694h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C05D7 second address: 53C0662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FB48CD439B2h 0x00000015 add ecx, 201499D8h 0x0000001b jmp 00007FB48CD439ABh 0x00000020 popfd 0x00000021 popad 0x00000022 pushfd 0x00000023 jmp 00007FB48CD439B4h 0x00000028 sub cx, E438h 0x0000002d jmp 00007FB48CD439ABh 0x00000032 popfd 0x00000033 popad 0x00000034 js 00007FB4FD2AF41Ah 0x0000003a pushad 0x0000003b mov al, 5Eh 0x0000003d mov eax, edi 0x0000003f popad 0x00000040 mov eax, dword ptr [ebp-04h] 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 jmp 00007FB48CD439B4h 0x0000004b mov ebx, ecx 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53C0662 second address: 53C0695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA697h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB48D1AA695h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0C51 second address: 53A0C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0C57 second address: 53A0C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0C5B second address: 53A0C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0C5F second address: 53A0C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB48D1AA68Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0C75 second address: 53A0CAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FB48CD439AEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0CAA second address: 53A0CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0CB0 second address: 53A0CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0CB5 second address: 53A0CD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB48D1AA68Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0CD2 second address: 53A0CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 53A0CD6 second address: 53A0CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5430165 second address: 54301E3 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FB48CD439B8h 0x00000008 adc eax, 63B35FE8h 0x0000000e jmp 00007FB48CD439ABh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov ah, 3Bh 0x00000018 popad 0x00000019 push eax 0x0000001a jmp 00007FB48CD439B2h 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 mov ax, 921Dh 0x00000025 pushfd 0x00000026 jmp 00007FB48CD439AAh 0x0000002b adc ax, 7D78h 0x00000030 jmp 00007FB48CD439ABh 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FB48CD439B0h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54301E3 second address: 54301F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54301F2 second address: 54301F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54301F8 second address: 5430238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop edi 0x00000010 pushfd 0x00000011 jmp 00007FB48D1AA68Eh 0x00000016 jmp 00007FB48D1AA695h 0x0000001b popfd 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 pop edi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5400D44 second address: 5400D4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54902FB second address: 549030F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA690h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 549030F second address: 5490313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5490313 second address: 5490369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FB48D1AA68Eh 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FB48D1AA690h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FB48D1AA68Dh 0x0000001f sub ecx, 2F9F2C56h 0x00000025 jmp 00007FB48D1AA691h 0x0000002a popfd 0x0000002b mov edi, eax 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5490369 second address: 5490385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48CD439B8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5490385 second address: 549039F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA68Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f mov edx, esi 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 549039F second address: 5490463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push dword ptr [ebp+08h] 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FB48CD439B6h 0x00000010 or cl, 00000038h 0x00000013 jmp 00007FB48CD439ABh 0x00000018 popfd 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FB48CD439B6h 0x00000020 adc ah, FFFFFF98h 0x00000023 jmp 00007FB48CD439ABh 0x00000028 popfd 0x00000029 mov di, cx 0x0000002c popad 0x0000002d popad 0x0000002e call 00007FB48CD439A9h 0x00000033 pushad 0x00000034 mov ax, 6947h 0x00000038 push ecx 0x00000039 pushfd 0x0000003a jmp 00007FB48CD439B3h 0x0000003f and cx, 330Eh 0x00000044 jmp 00007FB48CD439B9h 0x00000049 popfd 0x0000004a pop esi 0x0000004b popad 0x0000004c push eax 0x0000004d jmp 00007FB48CD439AEh 0x00000052 mov eax, dword ptr [esp+04h] 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FB48CD439ADh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5490463 second address: 5490478 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA691h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54406F4 second address: 5440760 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FB48CD439B1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007FB48CD439AEh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FB48CD439ADh 0x00000020 sub ecx, 640EEE96h 0x00000026 jmp 00007FB48CD439B1h 0x0000002b popfd 0x0000002c mov ch, 17h 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440760 second address: 5440766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440766 second address: 544076A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 544076A second address: 54407A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA694h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB48D1AA697h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54407A0 second address: 54407C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 44h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54407C6 second address: 54407CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54407CA second address: 54407D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54407D0 second address: 54407D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54407D6 second address: 5440800 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007FB48CD439B0h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440800 second address: 5440804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440804 second address: 544080A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 544080A second address: 5440820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB48D1AA692h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440820 second address: 5440824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440940 second address: 5440944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440944 second address: 544094A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 544094A second address: 54409AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FB48D1AA692h 0x00000009 and esi, 36507268h 0x0000000f jmp 00007FB48D1AA68Bh 0x00000014 popfd 0x00000015 mov cx, 605Fh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c lock bts dword ptr [edi], 00000000h 0x00000021 jmp 00007FB48D1AA692h 0x00000026 jc 00007FB4FEC2C129h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FB48D1AA697h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54409AF second address: 5440A0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a jmp 00007FB48CD439AEh 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov bl, 71h 0x00000015 pushfd 0x00000016 jmp 00007FB48CD439B6h 0x0000001b sbb ax, DBE8h 0x00000020 jmp 00007FB48CD439ABh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440A0A second address: 5440A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440A10 second address: 5440A53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jmp 00007FB48CD439B6h 0x00000011 mov esp, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB48CD439B7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440A53 second address: 5440A77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB48D1AA698h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440A77 second address: 5440A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440388 second address: 54403DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA697h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FB48D1AA696h 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FB48D1AA690h 0x00000016 push eax 0x00000017 jmp 00007FB48D1AA68Bh 0x0000001c xchg eax, ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54403DF second address: 54403E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54403E3 second address: 54403FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA697h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54403FE second address: 54404C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bh, ah 0x0000000d pushfd 0x0000000e jmp 00007FB48CD439B9h 0x00000013 sbb ch, 00000066h 0x00000016 jmp 00007FB48CD439B1h 0x0000001b popfd 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FB48CD439B7h 0x00000025 jmp 00007FB48CD439B3h 0x0000002a popfd 0x0000002b pushfd 0x0000002c jmp 00007FB48CD439B8h 0x00000031 sub ecx, 799EF998h 0x00000037 jmp 00007FB48CD439ABh 0x0000003c popfd 0x0000003d popad 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FB48CD439B5h 0x00000046 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54404C1 second address: 5440539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48D1AA691h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FB48D1AA68Ah 0x00000014 or ch, 00000058h 0x00000017 jmp 00007FB48D1AA68Bh 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FB48D1AA698h 0x00000023 sub esi, 610D88B8h 0x00000029 jmp 00007FB48D1AA68Bh 0x0000002e popfd 0x0000002f popad 0x00000030 mov eax, 599228EFh 0x00000035 popad 0x00000036 sub ecx, ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FB48D1AA68Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 5440539 second address: 54405B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FB48CD439B6h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov dx, 2924h 0x00000015 jmp 00007FB48CD439ADh 0x0000001a popad 0x0000001b xchg eax, edi 0x0000001c jmp 00007FB48CD439AEh 0x00000021 mov eax, 00000001h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FB48CD439ADh 0x0000002f sub esi, 0EB998C6h 0x00000035 jmp 00007FB48CD439B1h 0x0000003a popfd 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54405B2 second address: 54405B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe RDTSC instruction interceptor: First address: 54405B7 second address: 54405DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB48CD439B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock cmpxchg dword ptr [esi], ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Special instruction interceptor: First address: 1D7AD1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Special instruction interceptor: First address: 1D7A15 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Special instruction interceptor: First address: 38221D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Special instruction interceptor: First address: 38084C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Special instruction interceptor: First address: 387666 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Special instruction interceptor: First address: 3FD412 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 5C7AD1 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 5C7A15 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 77221D instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 77084C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 777666 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 7ED412 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1067AD1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1067A15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 121221D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 121084C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1217666 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 128D412 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_05480B9E rdtsc 0_2_05480B9E
Contains functionality to detect virtual machines (SLDT)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04EC0261 sldt word ptr [eax] 6_2_04EC0261
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Window / User API: threadDelayed 8600 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 914 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1270 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1664 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 904 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 436 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 7623 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 427 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1190 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1072 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1895 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1221 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1299 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1069 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1321 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1385 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1325 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1310 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1375 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1257 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 1268 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 5688 Thread sleep count: 66 > 30 Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 5688 Thread sleep time: -132066s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 5752 Thread sleep count: 57 > 30 Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 5752 Thread sleep time: -114057s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 5692 Thread sleep count: 288 > 30 Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 5692 Thread sleep time: -576288s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 4304 Thread sleep count: 285 > 30 Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 6972 Thread sleep count: 64 > 30 Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 6972 Thread sleep time: -128064s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 1988 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 1988 Thread sleep time: -106053s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 5692 Thread sleep count: 8600 > 30 Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe TID: 5692 Thread sleep time: -17208600s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6340 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6340 Thread sleep time: -78039s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5812 Thread sleep count: 914 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5812 Thread sleep time: -1828914s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5016 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2972 Thread sleep count: 1270 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2972 Thread sleep time: -2541270s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5016 Thread sleep count: 268 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432 Thread sleep count: 1664 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432 Thread sleep time: -3329664s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3624 Thread sleep count: 904 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3624 Thread sleep time: -1808904s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5016 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4028 Thread sleep count: 436 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4028 Thread sleep time: -872436s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 748 Thread sleep count: 309 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 748 Thread sleep time: -618309s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3636 Thread sleep count: 46 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5624 Thread sleep count: 107 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5624 Thread sleep time: -214107s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3636 Thread sleep count: 265 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2568 Thread sleep count: 7623 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2568 Thread sleep time: -15253623s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6036 Thread sleep count: 427 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6036 Thread sleep time: -854427s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3636 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3396 Thread sleep count: 1190 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3396 Thread sleep time: -2381190s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3928 Thread sleep count: 1072 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3928 Thread sleep time: -2145072s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5324 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5324 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5492 Thread sleep count: 211 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6096 Thread sleep count: 1895 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6096 Thread sleep time: -3791895s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5364 Thread sleep count: 1221 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5364 Thread sleep time: -2443221s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4696 Thread sleep count: 1299 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4696 Thread sleep time: -2599299s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4676 Thread sleep count: 1069 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4676 Thread sleep time: -2139069s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6764 Thread sleep count: 1321 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6764 Thread sleep time: -2643321s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7264 Thread sleep count: 72 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7264 Thread sleep time: -144072s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7236 Thread sleep count: 1385 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7236 Thread sleep time: -2771385s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7224 Thread sleep count: 154 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7224 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7252 Thread sleep count: 1325 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7252 Thread sleep time: -2651325s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7240 Thread sleep count: 1310 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7240 Thread sleep time: -2621310s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7260 Thread sleep count: 1375 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7260 Thread sleep time: -2751375s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7256 Thread sleep count: 1257 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7256 Thread sleep time: -2515257s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7244 Thread sleep count: 1268 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7244 Thread sleep time: -2537268s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F933B0 FindFirstFileA,FindNextFileA, 9_2_00F933B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FB3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 9_2_00FB3B20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F01F8C FindFirstFileExW, 9_2_00F01F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F933B0 FindFirstFileA,FindNextFileA,FindClose, 10_2_00F933B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00FB3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 10_2_00FB3B20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F01F8C FindFirstFileExW, 10_2_00F01F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FAD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 9_2_00FAD2B0
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696428655
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: global block list test formVMware20,11696428655
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.000000000160A000.00000004.00000020.00020000.00000000.sdmp, vEaFCBsRb7.exe, 00000000.00000002.3235371502.00000000015D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3235354494.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.000000000142B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.0000000001410000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3235201337.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3126250989.0000000001969000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3126250989.0000000001981000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.3126250989.0000000001938000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000000A.00000002.3123655863.00000000084A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.b
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: RageMP131.exe, 0000000A.00000003.2287239044.0000000001985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865h
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RageMP131.exe, 0000000A.00000002.3117805791.0000000001910000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: RageMP131.exe, 00000009.00000002.3126250989.000000000194C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}S
Source: RageMP131.exe, 0000000A.00000003.3027891603.00000000019E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696428655~
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.00000000015EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_3CAFD154Z
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: RageMP131.exe, 0000000A.00000003.3027954444.00000000019EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_3CAFD154
Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3116482293.00000000011F1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RageMP131.exe, 0000000A.00000002.3117805791.000000000197D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 0000000A.00000002.3123655863.00000000084B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: vEaFCBsRb7.exe, 00000000.00000003.2017005225.00000000015EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}it
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.0000000001570000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&Ku
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MPGPH131.exe, 00000006.00000002.3235354494.0000000001185000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb
Source: RageMP131.exe, 00000009.00000003.2193716468.000000000194E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}R
Source: RageMP131.exe, 0000000A.00000003.2287239044.0000000001985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-
Source: RageMP131.exe, 00000009.00000003.2940272026.000000000814D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}r
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696428655o
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MPGPH131.exe, 00000006.00000002.3235354494.00000000011C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWj
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696428655o
Source: vEaFCBsRb7.exe, 00000000.00000002.3235371502.00000000015EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}he
Source: RageMP131.exe, 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696428655
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428p
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RageMP131.exe, 0000000A.00000003.2929143633.0000000008841000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000002.3235354494.0000000001176000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: vEaFCBsRb7.exe, 00000000.00000002.3232285822.0000000000361000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3232314107.0000000000751000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3232115056.0000000000751000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000009.00000002.3125031105.00000000011F1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.3116482293.00000000011F1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: mYIh1SipB8ryWeb Data.10.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001938000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000J_
Source: MPGPH131.exe, 00000006.00000003.2073052706.000000000118F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}W|
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04EC064E Start: 04EC062D End: 04EC0631 6_2_04EC064E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_05310589 Start: 05310687 End: 053105EE 7_2_05310589
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_05310866 Start: 053109E3 End: 05310880 7_2_05310866
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0531070B Start: 0531077E End: 0531077A 7_2_0531070B
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_05480B9E rdtsc 0_2_05480B9E
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F94130 mov eax, dword ptr fs:[00000030h] 9_2_00F94130
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00F61A60 mov eax, dword ptr fs:[00000030h] 9_2_00F61A60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F94130 mov eax, dword ptr fs:[00000030h] 10_2_00F94130
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 10_2_00F61A60 mov eax, dword ptr fs:[00000030h] 10_2_00F61A60
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3232115056.0000000000751000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, RageMP131.exe, 0000000A.00000002.3116482293.00000000011F1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: GProgram Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Code function: 0_2_0007360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_0007360D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 9_2_00FAD2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 9_2_00FAD2B0
Source: C:\Users\user\Desktop\vEaFCBsRb7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0000000A.00000002.3123655863.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2941479862.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2940272026.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2942013456.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3126250989.0000000001957000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2940922087.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3123655863.00000000084B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3130008466.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vEaFCBsRb7.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7220, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\YZiM0LfOCL0wAoFFqwq287m.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\MGAxghooOX7va8QMyrnsU_W.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RageMP131.exe, 00000009.00000002.3126250989.00000000019A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: RageMP131.exe, 00000009.00000002.3126250989.00000000019A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: RageMP131.exe, 00000009.00000002.3126250989.00000000019A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RageMP131.exe, 00000009.00000002.3126250989.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: RageMP131.exe, 00000009.00000002.3126250989.00000000019A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: RageMP131.exe, 00000009.00000002.3126250989.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: RageMP131.exe, 00000009.00000002.3126250989.00000000019A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001981000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*@^4
Source: RageMP131.exe, 00000009.00000002.3126250989.0000000001981000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: RageMP131.exe, 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000002.3117805791.00000000019AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3129981998.0000000008100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7220, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0000000A.00000002.3123655863.00000000084EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2941479862.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2940272026.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2942013456.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3126250989.0000000001957000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2940922087.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3123655863.00000000084B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3130008466.0000000008123000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vEaFCBsRb7.exe PID: 2944, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4836, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1784, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7220, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\YZiM0LfOCL0wAoFFqwq287m.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\MGAxghooOX7va8QMyrnsU_W.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435467 Sample: vEaFCBsRb7.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 35 ipinfo.io 2->35 37 db-ip.com 2->37 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Antivirus detection for URL or domain 2->49 51 5 other signatures 2->51 8 RageMP131.exe 56 2->8         started        12 vEaFCBsRb7.exe 1 9 2->12         started        15 MPGPH131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 27 C:\Users\user\...\MGAxghooOX7va8QMyrnsU_W.zip, Zip 8->27 dropped 53 Multi AV Scanner detection for dropped file 8->53 55 Detected unpacking (changes PE section rights) 8->55 57 Tries to detect sandboxes and other dynamic analysis tools (window names) 8->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 8->59 39 147.45.47.93, 49705, 49706, 49707 FREE-NET-ASFREEnetEU Russian Federation 12->39 41 ipinfo.io 34.117.186.192, 443, 49716, 49717 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->41 43 db-ip.com 172.67.75.166, 443, 49720, 49721 CLOUDFLARENETUS United States 12->43 29 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 12->29 dropped 31 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 12->31 dropped 61 Found stalling execution ending in API Sleep call 12->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 12->63 65 Tries to evade debugger and weak emulator (self modifying code) 12->65 67 Tries to detect virtualization through RDTSC time measurements 12->67 19 schtasks.exe 1 12->19         started        21 schtasks.exe 1 12->21         started        69 Machine Learning detection for dropped file 15->69 77 2 other signatures 15->77 33 C:\Users\user\...\YZiM0LfOCL0wAoFFqwq287m.zip, Zip 17->33 dropped 71 Tries to steal Mail credentials (via file / registry access) 17->71 73 Tries to harvest and steal browser information (history, passwords, etc) 17->73 75 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->75 file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
172.67.75.166
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 172.67.75.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/191.96.150.225 false
    		high
    https://db-ip.com/demo/home.php?s=191.96.150.225 false
      		high