Windows Analysis Report
OUZXNOqKXg.exe

Overview

General Information

Sample name: OUZXNOqKXg.exe
renamed because original name is a hash value
Original sample name: dbff4297c4294225e0a98f3ff43c6829.exe
Analysis ID: 1435285
MD5: dbff4297c4294225e0a98f3ff43c6829
SHA1: a3aecf975805e0bb5788199c2e4f66deb707d723
SHA256: a186a21c5024ef2cdb857612bb7ef6e322ef2ccfb1bfae48d462dc5ffd9ccba0
Tags: 32exetrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/cost/go.exe Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.56/cost/sok.exe Virustotal: Detection: 21% Perma Link
Source: http://193.233.132.56/cost/lenin.exe Virustotal: Detection: 21% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 47%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 50% Perma Link
Multi AV Scanner detection for submitted file
Source: OUZXNOqKXg.exe Virustotal: Detection: 50% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: OUZXNOqKXg.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D63EB0 CryptUnprotectData,CryptUnprotectData, 0_2_00D63EB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F83EB0 CryptUnprotectData,CryptUnprotectData, 6_2_00F83EB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F83EB0 CryptUnprotectData,CryptUnprotectData, 7_2_00F83EB0
Uses 32bit PE files
Source: OUZXNOqKXg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49716 version: TLS 1.0
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.192.108.161:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.192.108.161:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D633B0 FindFirstFileA,FindNextFileA, 0_2_00D633B0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D83B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00D83B20
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CD1F8C FindFirstFileExW, 0_2_00CD1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F833B0 FindFirstFileA,FindNextFileA, 6_2_00F833B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FA3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_00FA3B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00EF1F8C FindFirstFileExW, 6_2_00EF1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F833B0 FindFirstFileA,FindNextFileA,FindClose, 7_2_00F833B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FA3B20 FindFirstFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 7_2_00FA3B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00EF1F8C FindFirstFileExW, 7_2_00EF1F8C
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_efa6ea435623776204e2ff3e8ee4f891ec76e69_2d68038f_52783177-a43b-47d0-addd-1377208c22e4\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OUZXNOqKXg.exe_5390e549b8f70678a22be0d1b2bb235f301267_520e7665_01f7457b-adcf-4fbc-ae7c-da9e5bdd937b\

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49709 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49721
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49727
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49716 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: unknown TCP traffic detected without corresponding DNS query: 40.127.169.103
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D65940 recv,WSAStartup,closesocket,socket,connect,closesocket, 0_2_00D65940
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cdML4eDe1e3weSz&MD=ounyMw+g HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=cdML4eDe1e3weSz&MD=ounyMw+g HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGJzozbEGIjCxTehgS7Xj9JABG9mCXW98VQ5yfDr7OKui0mBNEQv43K_hnjR_IbcTaqS2cHi5QPgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-11; NID=513=OcwQxdRtw2tvZrtvB0DD3jgHpNn0HlpIiSvcevEUOLjwYVWhsOpgLXTLhbJ2HY3d58Ay3qVRiJ2VhdetPg273AQJTVwD4TFMmEaq4aGZuyIQkSJTRdyeM8HukHWBdIVA_GMzPzB7KxQXyYaMJ6fjg6nsdbdTnhSR-CRf3Zzsc-E
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGJzozbEGIjBA57m2OnHq4MuqM1LINkAHVsFdZO-nSsIbTZhoH_tZk0bZIq1X5_t8JY-lJBTRSsoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIkqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-11; NID=513=OcwQxdRtw2tvZrtvB0DD3jgHpNn0HlpIiSvcevEUOLjwYVWhsOpgLXTLhbJ2HY3d58Ay3qVRiJ2VhdetPg273AQJTVwD4TFMmEaq4aGZuyIQkSJTRdyeM8HukHWBdIVA_GMzPzB7KxQXyYaMJ6fjg6nsdbdTnhSR-CRf3Zzsc-E
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exelS
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exet
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeeS
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeka.ex%
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exer
Source: MPGPH131.exe, 00000007.00000003.2276669635.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exe
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/sok.exebS
Source: Amcache.hve.12.dr String found in binary or memory: http://upx.sf.net
Source: OUZXNOqKXg.exe, 00000000.00000002.2497651376.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2002580673.0000000004960000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2089915255.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2497650348.0000000000EC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.2501580348.0000000000EC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2089594487.0000000004970000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2352696404.0000000000FF1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2191104526.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2420304740.0000000000FF1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000003.2288639202.0000000004E20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000E41000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225a
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225c
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225A
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000BDD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000BC4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000C22000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 00000008.00000002.2351837318.0000000000DCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/K
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000688000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.0000000000770000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.000000000066C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/S
Source: OUZXNOqKXg.exe, 00000000.00000002.2497651376.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2002580673.0000000004960000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2089915255.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2497650348.0000000000EC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.2501580348.0000000000EC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2089594487.0000000004970000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2352696404.0000000000FF1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2191104526.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2420304740.0000000000FF1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000003.2288639202.0000000004E20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000007.00000002.2495829524.0000000000765000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/v
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000688000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000002.2496012876.000000000066C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.000000000071C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.0000000000770000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000DCA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000071C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.2251
Source: RageMP131.exe, 00000008.00000002.2351837318.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225;
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.000000000066C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225v
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000C22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225z
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000688000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225h
Source: MPGPH131.exe, 00000007.00000002.2495829524.0000000000770000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225w
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.000000000763D000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000002.2496012876.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2279686406.0000000007A05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2514314393.0000000007A05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2276710480.0000000007927000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2513672666.00000000074E0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2276646038.000000000791C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.00000000006EA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2514580399.0000000007928000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, omSBwUIH4pet5KxkFSj3Ooa.zip.0.dr, HWrdWlyArR5ylxzokfJFSLT.zip.7.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000003.2279686406.0000000007A05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2514314393.0000000007A05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT1
Source: MPGPH131.exe, 00000007.00000003.2276710480.0000000007927000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2276646038.000000000791C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2514580399.0000000007928000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTA
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.00000000005FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTY
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.7.dr, passwords.txt.0.dr String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot0.225
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot:S
Source: RageMP131.exe, 00000008.00000002.2351837318.0000000000E41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botD
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botN5
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000E41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater3S
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.p
Source: RageMP131.exe, 00000008.00000002.2351837318.0000000000E41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.x
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: OUZXNOqKXg.exe, 00000000.00000003.2132940072.000000000765A000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131325613.000000000764C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2239311285.0000000007D6C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2260495218.0000000007DFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2237290449.0000000007D68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2242010119.0000000007556000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2240147052.0000000007551000.00000004.00000020.00020000.00000000.sdmp, IcAhGBHRo3YOWeb Data.0.dr, PaWWAHmKp8fWWeb Data.6.dr, 96e_HOYMTAmIWeb Data.0.dr, DYntKPfaj3fyWeb Data.0.dr, PfUMhVZm9gXZWeb Data.6.dr, ItL735j0X1vDWeb Data.6.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179456574.00000000075D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2514314393.00000000079CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2279686406.00000000079CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2497154861.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2276669635.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/3
Source: OUZXNOqKXg.exe, 00000000.00000003.2143053881.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2172578105.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2133297840.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2174364595.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2171722519.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179456574.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170152454.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179114613.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2132200707.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2172825784.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131613536.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2173818572.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170483238.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131947040.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179710953.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2134450472.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170933371.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2171220617.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131398179.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2139144057.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000007.00000002.2497154861.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2276669635.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/o
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179456574.00000000075D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/p
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: OUZXNOqKXg.exe, 00000000.00000003.2143053881.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2172578105.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2133297840.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2174364595.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2171722519.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179456574.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170152454.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179114613.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2132200707.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2172825784.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131613536.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2173818572.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170483238.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131947040.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179710953.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2134450472.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170933371.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2171220617.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131398179.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2139144057.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179456574.00000000075D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2514314393.00000000079CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2279686406.00000000079CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2497154861.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2276669635.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MPGPH131.exe, 00000007.00000002.2497154861.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2276669635.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/3
Source: MPGPH131.exe, 00000007.00000002.2497154861.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2276669635.00000000007D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/D)
Source: MPGPH131.exe, 00000006.00000002.2514314393.00000000079CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2279686406.00000000079CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/s
Source: OUZXNOqKXg.exe, 00000000.00000003.2143053881.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2172578105.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2133297840.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2174364595.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2171722519.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179456574.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170152454.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179114613.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2132200707.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2172825784.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131613536.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2173818572.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170483238.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131947040.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2179710953.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2134450472.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2170933371.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2171220617.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2131398179.0000000007632000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2139144057.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000006.00000002.2514314393.00000000079CC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2279686406.00000000079CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ve
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.147:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.127.169.103:443 -> 192.168.2.5:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.192.108.161:443 -> 192.168.2.5:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 69.192.108.161:443 -> 192.168.2.5:49762 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: OUZXNOqKXg.exe Static PE information: section name:
Source: OUZXNOqKXg.exe Static PE information: section name: .idata
Source: OUZXNOqKXg.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00DDC8D0 0_2_00DDC8D0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CAB8E0 0_2_00CAB8E0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D98080 0_2_00D98080
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CE001D 0_2_00CE001D
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D361D0 0_2_00D361D0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D749B0 0_2_00D749B0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D38A80 0_2_00D38A80
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D7D2B0 0_2_00D7D2B0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D31A60 0_2_00D31A60
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D3CBF0 0_2_00D3CBF0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D7C3E0 0_2_00D7C3E0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D47D20 0_2_00D47D20
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D33ED0 0_2_00D33ED0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D3AEC0 0_2_00D3AEC0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D7B7E0 0_2_00D7B7E0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D2DF60 0_2_00D2DF60
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D1F730 0_2_00D1F730
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00DD20C0 0_2_00DD20C0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00DE40A0 0_2_00DE40A0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CD7190 0_2_00CD7190
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CDC950 0_2_00CDC950
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00DE3160 0_2_00DE3160
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D22100 0_2_00D22100
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CDA918 0_2_00CDA918
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D41130 0_2_00D41130
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00DE4AE0 0_2_00DE4AE0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D84B90 0_2_00D84B90
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CF8BA0 0_2_00CF8BA0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D30BA0 0_2_00D30BA0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D90350 0_2_00D90350
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CE035F 0_2_00CE035F
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CF25FE 0_2_00CF25FE
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CCF570 0_2_00CCF570
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D41E40 0_2_00D41E40
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CF8E20 0_2_00CF8E20
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D8BFC0 0_2_00D8BFC0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D8CFC0 0_2_00D8CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FB8080 6_2_00FB8080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F0001D 6_2_00F0001D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F561D0 6_2_00F561D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F9D2B0 6_2_00F9D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F9C3E0 6_2_00F9C3E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F9B7E0 6_2_00F9B7E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F3F730 6_2_00F3F730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00ECB8E0 6_2_00ECB8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FFC8D0 6_2_00FFC8D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F949B0 6_2_00F949B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F58A80 6_2_00F58A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F51A60 6_2_00F51A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F5CBF0 6_2_00F5CBF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F67D20 6_2_00F67D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F53ED0 6_2_00F53ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F5AEC0 6_2_00F5AEC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F4DF60 6_2_00F4DF60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FF20C0 6_2_00FF20C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_01003160 6_2_01003160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00EF7190 6_2_00EF7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_010040A0 6_2_010040A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F61130 6_2_00F61130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F42100 6_2_00F42100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FFF280 6_2_00FFF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FB0350 6_2_00FB0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F0035F 6_2_00F0035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00EEF570 6_2_00EEF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F147AD 6_2_00F147AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00EFC950 6_2_00EFC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00EFA918 6_2_00EFA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F0DA74 6_2_00F0DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_01005A40 6_2_01005A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F18BA0 6_2_00F18BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F50BA0 6_2_00F50BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FA4B90 6_2_00FA4B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_01004AE0 6_2_01004AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F61E40 6_2_00F61E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F18E20 6_2_00F18E20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FABFC0 6_2_00FABFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FACFC0 6_2_00FACFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FB8080 7_2_00FB8080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F0001D 7_2_00F0001D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F561D0 7_2_00F561D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F9D2B0 7_2_00F9D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F9C3E0 7_2_00F9C3E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F9B7E0 7_2_00F9B7E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F3F730 7_2_00F3F730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00ECB8E0 7_2_00ECB8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FFC8D0 7_2_00FFC8D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F949B0 7_2_00F949B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F58A80 7_2_00F58A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F51A60 7_2_00F51A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F5CBF0 7_2_00F5CBF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F67D20 7_2_00F67D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F53ED0 7_2_00F53ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F5AEC0 7_2_00F5AEC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F4DF60 7_2_00F4DF60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FF20C0 7_2_00FF20C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_01003160 7_2_01003160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00EF7190 7_2_00EF7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_010040A0 7_2_010040A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F61130 7_2_00F61130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F42100 7_2_00F42100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FFF280 7_2_00FFF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FB0350 7_2_00FB0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F0035F 7_2_00F0035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00EEF570 7_2_00EEF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F147AD 7_2_00F147AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00EFC950 7_2_00EFC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00EFA918 7_2_00EFA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F0DA74 7_2_00F0DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_01005A40 7_2_01005A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F18BA0 7_2_00F18BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F50BA0 7_2_00F50BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FA4B90 7_2_00FA4B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_01004AE0 7_2_01004AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F61E40 7_2_00F61E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F18E20 7_2_00F18E20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FABFC0 7_2_00FABFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FACFC0 7_2_00FACFC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: String function: 00CBACE0 appears 86 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00EF4370 appears 58 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00EDACE0 appears 172 times
One or more processes crash
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 2120
Sample file is different than original file name gathered from version info
Source: OUZXNOqKXg.exe Binary or memory string: OriginalFilename vs OUZXNOqKXg.exe
Source: OUZXNOqKXg.exe, 00000000.00000000.1991621166.0000000001268000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs OUZXNOqKXg.exe
Source: OUZXNOqKXg.exe, 00000000.00000002.2506180621.0000000001268000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs OUZXNOqKXg.exe
Source: OUZXNOqKXg.exe, 00000000.00000003.2044068954.0000000004AF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs OUZXNOqKXg.exe
Source: OUZXNOqKXg.exe, 00000000.00000002.2504947651.0000000000E27000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs OUZXNOqKXg.exe
Source: OUZXNOqKXg.exe, 00000000.00000002.2495826892.00000000005E0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs OUZXNOqKXg.exe
Source: OUZXNOqKXg.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs OUZXNOqKXg.exe
Uses 32bit PE files
Source: OUZXNOqKXg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@28/70@4/6
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D7D2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00D7D2B0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4292:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6044
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1964
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1048
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OUZXNOqKXg.exe, 00000000.00000002.2497651376.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2002580673.0000000004960000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2089915255.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2497650348.0000000000EC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.2501580348.0000000000EC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2089594487.0000000004970000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2352696404.0000000000FF1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2191104526.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2420304740.0000000000FF1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000003.2288639202.0000000004E20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OUZXNOqKXg.exe, 00000000.00000002.2497651376.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, OUZXNOqKXg.exe, 00000000.00000003.2002580673.0000000004960000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2089915255.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2497650348.0000000000EC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.2501580348.0000000000EC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2089594487.0000000004970000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2352696404.0000000000FF1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2191104526.00000000051C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2420304740.0000000000FF1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000003.2288639202.0000000004E20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: OUZXNOqKXg.exe, 00000000.00000003.2131398179.00000000075EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_;
Source: OUZXNOqKXg.exe, 00000000.00000003.2131398179.00000000075EB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2266643346.0000000007D51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2263138775.000000000791B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2237582680.000000000752B000.00000004.00000020.00020000.00000000.sdmp, ED7tWrpGNjOYLogin Data For Account.0.dr, KFrsFkuEtVx7Login Data.7.dr, l1q_1j16WyA9Login Data.0.dr, 10GGX8YOPvgsLogin Data.0.dr, fCfRKg2Q_74JLogin Data For Account.6.dr, DmxiK99S1aMvLogin Data.6.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OUZXNOqKXg.exe Virustotal: Detection: 50%
Source: OUZXNOqKXg.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: OUZXNOqKXg.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File read: C:\Users\user\Desktop\OUZXNOqKXg.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\OUZXNOqKXg.exe "C:\Users\user\Desktop\OUZXNOqKXg.exe"
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 2120
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 2028
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 2092
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1940,i,7949673732740788315,15977875228803599202,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1940,i,7949673732740788315,15977875228803599202,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: Gmail.lnk.21.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.21.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.21.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.21.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.21.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.21.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: OUZXNOqKXg.exe Static file information: File size 2384896 > 1048576
Source: OUZXNOqKXg.exe Static PE information: Raw size of dzwgyjhu is bigger than: 0x100000 < 0x197400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Unpacked PE file: 0.2.OUZXNOqKXg.exe.ca0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.ff0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 13.2.RageMP131.exe.ff0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dzwgyjhu:EW;eyfudhmj:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x25468e should be: 0x252d4c
Source: OUZXNOqKXg.exe Static PE information: real checksum: 0x25468e should be: 0x252d4c
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x25468e should be: 0x252d4c
PE file contains sections with non-standard names
Source: OUZXNOqKXg.exe Static PE information: section name:
Source: OUZXNOqKXg.exe Static PE information: section name: .idata
Source: OUZXNOqKXg.exe Static PE information: section name:
Source: OUZXNOqKXg.exe Static PE information: section name: dzwgyjhu
Source: OUZXNOqKXg.exe Static PE information: section name: eyfudhmj
Source: OUZXNOqKXg.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: dzwgyjhu
Source: RageMP131.exe.0.dr Static PE information: section name: eyfudhmj
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: dzwgyjhu
Source: MPGPH131.exe.0.dr Static PE information: section name: eyfudhmj
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CD3F49 push ecx; ret 0_2_00CD3F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00EF3F49 push ecx; ret 6_2_00EF3F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00EF3F49 push ecx; ret 7_2_00EF3F5C
Source: OUZXNOqKXg.exe Static PE information: section name: entropy: 7.924413766856182
Source: OUZXNOqKXg.exe Static PE information: section name: dzwgyjhu entropy: 7.9091416517540845
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.924413766856182
Source: RageMP131.exe.0.dr Static PE information: section name: dzwgyjhu entropy: 7.9091416517540845
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.924413766856182
Source: MPGPH131.exe.0.dr Static PE information: section name: dzwgyjhu entropy: 7.9091416517540845
Drops PE files
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA98D1 second address: FA98DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F3E94B7DA5Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA98DF second address: FA991F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3E94D6E784h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jnl 00007F3E94D6E776h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 jmp 00007F3E94D6E789h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: F9CAA8 second address: F9CAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA88F3 second address: FA8908 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3E952D7946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jnc 00007F3E952D7946h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA8908 second address: FA8941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3E949294A8h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E949294A4h 0x00000011 jc 00007F3E94929496h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA8E8B second address: FA8EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edx 0x00000006 jmp 00007F3E952D7953h 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA8EA5 second address: FA8EC4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3E94929498h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3E9492949Dh 0x0000000f jbe 00007F3E94929496h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA8EC4 second address: FA8ECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FAC012 second address: FAC01C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FAC01C second address: FAC026 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3E952D794Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FAC026 second address: E369BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 188910BCh 0x0000000d mov dword ptr [ebp+122D1B08h], eax 0x00000013 push dword ptr [ebp+122D0169h] 0x00000019 cmc 0x0000001a push eax 0x0000001b mov cl, E1h 0x0000001d pop ecx 0x0000001e call dword ptr [ebp+122D1BBCh] 0x00000024 pushad 0x00000025 stc 0x00000026 xor eax, eax 0x00000028 mov dword ptr [ebp+122D1B0Dh], edi 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 jmp 00007F3E949294A4h 0x00000037 mov dword ptr [ebp+122D3737h], eax 0x0000003d mov dword ptr [ebp+122D29CFh], ecx 0x00000043 jnl 00007F3E9492949Eh 0x00000049 mov esi, 0000003Ch 0x0000004e pushad 0x0000004f jl 00007F3E9492949Ch 0x00000055 sub dword ptr [ebp+122D19BEh], ebx 0x0000005b mov eax, dword ptr [ebp+122D359Bh] 0x00000061 popad 0x00000062 add esi, dword ptr [esp+24h] 0x00000066 jmp 00007F3E9492949Fh 0x0000006b lodsw 0x0000006d jg 00007F3E9492949Ch 0x00000073 jg 00007F3E9492949Ch 0x00000079 add eax, dword ptr [esp+24h] 0x0000007d pushad 0x0000007e clc 0x0000007f jmp 00007F3E949294A5h 0x00000084 popad 0x00000085 sub dword ptr [ebp+122D29CFh], edi 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f jnp 00007F3E949294A4h 0x00000095 nop 0x00000096 pushad 0x00000097 push ecx 0x00000098 jmp 00007F3E949294A1h 0x0000009d pop ecx 0x0000009e jo 00007F3E9492949Ch 0x000000a4 push eax 0x000000a5 push edx 0x000000a6 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FAC080 second address: FAC084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FAC084 second address: FAC088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FAC1AA second address: FAC1D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7953h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F3E952D794Dh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FAC1D5 second address: FAC1DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FAC41D second address: FAC426 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FBE029 second address: FBE036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCA4C3 second address: FCA4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3E952D7946h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCA4CD second address: FCA4E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F3E9492949Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCA8FF second address: FCA906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCA906 second address: FCA90E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCA90E second address: FCA912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCAA41 second address: FCAA4B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3E94929496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCAFED second address: FCAFF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCB18D second address: FCB193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCB58F second address: FCB593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCB593 second address: FCB5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3E94929496h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F3E949294A9h 0x00000014 jmp 00007F3E9492949Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCBE0F second address: FCBE1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F3E952D794Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCBE1E second address: FCBE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3E949294B2h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCBE44 second address: FCBE50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F3E952D7946h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCBFC1 second address: FCBFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCBFC5 second address: FCBFC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCC178 second address: FCC17C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCC17C second address: FCC189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCFE6F second address: FCFE79 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCFE79 second address: FCFE7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FCEF4B second address: FCEF50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD00EA second address: FD0114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push esi 0x0000000d jng 00007F3E952D7948h 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD0114 second address: FD0118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD0118 second address: FD012E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7952h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD012E second address: FD0133 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8CDF second address: FD8CFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D794Dh 0x00000009 popad 0x0000000a pushad 0x0000000b js 00007F3E952D7946h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8CFA second address: FD8D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8D00 second address: FD8D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: F9AFE2 second address: F9B005 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3E949294ABh 0x00000008 jmp 00007F3E949294A5h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: F9B005 second address: F9B028 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3E952D7946h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007F3E952D794Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD80B6 second address: FD80DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3E9492949Fh 0x0000000b jne 00007F3E94929498h 0x00000011 popad 0x00000012 push ebx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8219 second address: FD821D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD821D second address: FD8221 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8221 second address: FD8227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8227 second address: FD8237 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3E94929496h 0x0000000a jno 00007F3E94929496h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD83E5 second address: FD8404 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7953h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8404 second address: FD8408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8824 second address: FD8893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F3E952D7957h 0x00000011 jmp 00007F3E952D7956h 0x00000016 jp 00007F3E952D7946h 0x0000001c popad 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F3E952D7955h 0x00000025 popad 0x00000026 popad 0x00000027 push ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F3E952D794Ah 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8893 second address: FD8897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8897 second address: FD88BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7955h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F3E952D794Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8B67 second address: FD8B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8B6B second address: FD8B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8B71 second address: FD8B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8B77 second address: FD8B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D7957h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8B92 second address: FD8BBE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3E94929496h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3E949294A5h 0x00000016 jnc 00007F3E94929496h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FD8BBE second address: FD8BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDAA0A second address: FDAA0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDAD89 second address: FDAD8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDAD8D second address: FDAD9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F3E9492949Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDB0C4 second address: FDB0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3E952D794Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDB79F second address: FDB7A9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDB966 second address: FDB96C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDBAFE second address: FDBB02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDBB02 second address: FDBB06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDBB8C second address: FDBBA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jne 00007F3E94929496h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDBBA0 second address: FDBBA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDBBA6 second address: FDBBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDC07F second address: FDC11A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jns 00007F3E952D794Eh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F3E952D7948h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov edi, dword ptr [ebp+122D3407h] 0x00000030 push 00000000h 0x00000032 jnl 00007F3E952D7958h 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F3E952D7948h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000017h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov edi, dword ptr [ebp+122D3877h] 0x0000005a mov edi, dword ptr [ebp+122D36FFh] 0x00000060 push eax 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F3E952D794Dh 0x00000069 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDCAEF second address: FDCAF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDCAF5 second address: FDCAF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDCAF9 second address: FDCAFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDDB74 second address: FDDB7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDDB7B second address: FDDBA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F3E9492949Ah 0x0000000d nop 0x0000000e and si, 3E55h 0x00000013 push 00000000h 0x00000015 movzx esi, bx 0x00000018 push 00000000h 0x0000001a mov si, bx 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f push edi 0x00000020 push eax 0x00000021 pop eax 0x00000022 pop edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDE681 second address: FDE73D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F3E952D7956h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F3E952D7948h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D214Eh], edx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F3E952D7948h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 pushad 0x00000049 call 00007F3E952D7957h 0x0000004e call 00007F3E952D794Bh 0x00000053 pop ebx 0x00000054 pop edx 0x00000055 or edx, 0FA6647Bh 0x0000005b popad 0x0000005c jmp 00007F3E952D794Fh 0x00000061 push 00000000h 0x00000063 je 00007F3E952D794Ch 0x00000069 jno 00007F3E952D7946h 0x0000006f xchg eax, ebx 0x00000070 push eax 0x00000071 push edx 0x00000072 jc 00007F3E952D7948h 0x00000078 pushad 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDE73D second address: FDE747 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3E9492949Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE08D3 second address: FE08D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE08D8 second address: FE08ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E949294A1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE1CB3 second address: FE1CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE53DF second address: FE5403 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3E9492949Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3E949294A0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE5403 second address: FE5473 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D37A7h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F3E952D7948h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a add dword ptr [ebp+12475E76h], ebx 0x00000030 jc 00007F3E952D7947h 0x00000036 clc 0x00000037 push 00000000h 0x00000039 call 00007F3E952D7954h 0x0000003e mov bl, ch 0x00000040 pop edi 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F3E952D7959h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE5473 second address: FE547D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3E94929496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE663E second address: FE664F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE664F second address: FE6655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE775F second address: FE7764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEB62E second address: FEB632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEB632 second address: FEB638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEB638 second address: FEB63F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEA849 second address: FEA84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEA84D second address: FEA857 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEB6BD second address: FEB6C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEB6C1 second address: FEB6E6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F3E949294A8h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEB6E6 second address: FEB6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FEC727 second address: FEC731 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FF07D8 second address: FF0863 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3E952D7946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop ecx 0x00000010 jmp 00007F3E952D7952h 0x00000015 popad 0x00000016 nop 0x00000017 call 00007F3E952D7950h 0x0000001c push eax 0x0000001d mov ebx, dword ptr [ebp+122D37E3h] 0x00000023 pop edi 0x00000024 pop ebx 0x00000025 mov bx, di 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007F3E952D7948h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000014h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007F3E952D7948h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000019h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 mov edi, 757E89B4h 0x00000065 push eax 0x00000066 push ecx 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FED855 second address: FED869 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3E9492949Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FF1730 second address: FF173F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FF173F second address: FF1743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FF1743 second address: FF1749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FED869 second address: FED8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007F3E9492949Ch 0x0000000f mov ebx, dword ptr [ebp+122D27E9h] 0x00000015 pop edi 0x00000016 push dword ptr fs:[00000000h] 0x0000001d or edi, 39B96CE1h 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a mov edi, dword ptr [ebp+122D1B08h] 0x00000030 mov eax, dword ptr [ebp+122D15B9h] 0x00000036 xor dword ptr [ebp+12471299h], esi 0x0000003c push FFFFFFFFh 0x0000003e mov bx, dx 0x00000041 nop 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FED8B8 second address: FED8BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FED8BE second address: FED8C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FED8C4 second address: FED8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FED8C8 second address: FED8E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F3E949294A3h 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FF3758 second address: FF3761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FF4728 second address: FF4733 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F3E94929496h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FF3913 second address: FF3917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FFC991 second address: FFC995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FFC995 second address: FFC99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FFE50E second address: FFE548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F3E949294A2h 0x0000000b jmp 00007F3E9492949Fh 0x00000010 jmp 00007F3E949294A2h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1002C97 second address: 1002C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100738F second address: 1007395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1007395 second address: 1007399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1007399 second address: 100739D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100739D second address: 10073A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10073A3 second address: 10073E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop ebx 0x00000011 jmp 00007F3E9492949Ch 0x00000016 jc 00007F3E949294AEh 0x0000001c jmp 00007F3E949294A8h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10073E2 second address: 10073E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1007B04 second address: 1007B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3E9492949Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1007C91 second address: 1007CB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F3E952D7946h 0x0000000d jmp 00007F3E952D7956h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100BD3A second address: 100BD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100BD40 second address: 100BD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F3E952D7946h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100BD4F second address: 100BD57 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100BD57 second address: 100BD61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F3E952D7946h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2AA8 second address: FE2AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2B1C second address: FE2B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7952h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push esi 0x0000000c push ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3E952D7955h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2B55 second address: FE2B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E9492949Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2B68 second address: FE2B80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jc 00007F3E952D7952h 0x00000010 jns 00007F3E952D794Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2B80 second address: FE2BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp+04h], eax 0x00000008 pushad 0x00000009 jmp 00007F3E949294A9h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F3E94929496h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2BAA second address: FE2BDB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 or dword ptr [ebp+122D2538h], eax 0x0000000e push D73D084Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F3E952D7958h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2CBE second address: FE2CE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F3E949294A5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2CE3 second address: FE2CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2CE8 second address: FE2CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2FD6 second address: FE2FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2FDA second address: FE2FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE2FE4 second address: FE2FF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov cx, D64Ah 0x0000000c push 00000004h 0x0000000e nop 0x0000000f push ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE3530 second address: FE353A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F3E94929496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE3688 second address: FE36A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E952D7958h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE36A4 second address: FE36DC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jp 00007F3E9492949Eh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jne 00007F3E949294A2h 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE36DC second address: FE36E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE36E3 second address: FE370F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3E949294ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE370F second address: FE3715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE3794 second address: FE379E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3E94929496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE379E second address: FE37BF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3E952D7946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3E952D7952h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE37BF second address: FE3825 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jne 00007F3E9492949Eh 0x00000011 lea eax, dword ptr [ebp+1247F3BEh] 0x00000017 jg 00007F3E949294B4h 0x0000001d nop 0x0000001e push esi 0x0000001f jno 00007F3E949294A3h 0x00000025 pop esi 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jns 00007F3E94929496h 0x00000030 push ecx 0x00000031 pop ecx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE3825 second address: FE382A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE382A second address: FE3853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 jng 00007F3E9492949Bh 0x0000000e sub di, BFD7h 0x00000013 lea eax, dword ptr [ebp+1247F37Ah] 0x00000019 xor dword ptr [ebp+122D1A50h], edx 0x0000001f nop 0x00000020 jc 00007F3E9492949Eh 0x00000026 push edi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FE3853 second address: FC1F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 jne 00007F3E952D795Dh 0x0000000c nop 0x0000000d jnp 00007F3E952D794Ch 0x00000013 call dword ptr [ebp+1244FAF4h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FC1F24 second address: FC1F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FC1F2A second address: FC1F39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FC1F39 second address: FC1F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FC1F43 second address: FC1F58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3E952D794Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: F9E637 second address: F9E64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F3E9492949Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C1D5 second address: 100C1D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C34F second address: 100C355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C355 second address: 100C35E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C35E second address: 100C364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C4A4 second address: 100C4A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C4A8 second address: 100C4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C4B0 second address: 100C4E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F3E952D7946h 0x00000009 jmp 00007F3E952D7951h 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F3E952D7957h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C78F second address: 100C797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C797 second address: 100C7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3E952D7946h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F3E952D7946h 0x00000019 jmp 00007F3E952D794Dh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100C94D second address: 100C952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 100FD17 second address: 100FD34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edi 0x00000011 jo 00007F3E952D794Ch 0x00000017 jbe 00007F3E952D7946h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101894E second address: 1018952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1018952 second address: 1018974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D7957h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1018974 second address: 10189A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 ja 00007F3E9492949Eh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 pop eax 0x00000011 jmp 00007F3E949294A7h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1017598 second address: 10175AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3E952D794Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10176E2 second address: 1017711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E9492949Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F3E949294A5h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1017711 second address: 101772C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D7956h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101772C second address: 1017733 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1017733 second address: 101773D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1017895 second address: 10178A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3E94929496h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1017CDB second address: 1017D06 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3E952D794Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3E952D7959h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1017D06 second address: 1017D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101723F second address: 101724B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3E952D7946h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101724B second address: 1017250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1017250 second address: 101727A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7955h 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jne 00007F3E952D7946h 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101819F second address: 10181A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10181A3 second address: 10181B6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3E952D794Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10181B6 second address: 10181C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E9492949Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1018348 second address: 101835A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D794Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101835A second address: 101836C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c ja 00007F3E94929496h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101836C second address: 101838A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F3E952D7958h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101838A second address: 101838F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1018647 second address: 101864D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101864D second address: 1018658 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101CF43 second address: 101CF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F3E952D7946h 0x00000010 pop esi 0x00000011 pushad 0x00000012 jmp 00007F3E952D794Ch 0x00000017 ja 00007F3E952D7946h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101D0F9 second address: 101D0FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101D3A6 second address: 101D3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F3E952D7955h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101D3C4 second address: 101D3CE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101D712 second address: 101D716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101DAE4 second address: 101DAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101DD55 second address: 101DD59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101E1D4 second address: 101E1DE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3E94929496h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 101CB6A second address: 101CB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D7958h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10231F7 second address: 102321D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A1h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3E9492949Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1022B16 second address: 1022B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D7955h 0x00000009 jmp 00007F3E952D7951h 0x0000000e jnc 00007F3E952D7946h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1022B4C second address: 1022B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1022B53 second address: 1022B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1022B59 second address: 1022B63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3E94929496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1022F23 second address: 1022F5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3E952D794Eh 0x00000008 js 00007F3E952D7946h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edx 0x00000014 jl 00007F3E952D7957h 0x0000001a jmp 00007F3E952D7951h 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1022F5A second address: 1022F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1025574 second address: 1025593 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 ja 00007F3E952D7946h 0x0000000b pop eax 0x0000000c jng 00007F3E952D794Ah 0x00000012 pushad 0x00000013 jc 00007F3E952D7946h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102526C second address: 1025270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1025270 second address: 1025291 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7953h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F3E952D7946h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1029538 second address: 102954A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007F3E94929496h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102954A second address: 1029556 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007F3E952D7946h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1029556 second address: 102956F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F3E949294A3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102956F second address: 1029573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1029573 second address: 1029583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1028D28 second address: 1028D42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3E952D794Dh 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102ABFA second address: 102AC29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E949294A6h 0x00000009 jmp 00007F3E949294A5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA01F0 second address: FA0200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3E952D7946h 0x0000000a jno 00007F3E952D7946h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FA0200 second address: FA0204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102EDFF second address: 102EE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102EE09 second address: 102EE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E9492949Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102F230 second address: 102F234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102F234 second address: 102F241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102F395 second address: 102F3A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3E952D7946h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102F3A1 second address: 102F3C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F3E949294A2h 0x0000000b pop esi 0x0000000c je 00007F3E949294A2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102F541 second address: 102F54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3E952D7946h 0x0000000a pop edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102F54F second address: 102F555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102F555 second address: 102F55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 102F55A second address: 102F576 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3E949294A5h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103367F second address: 1033699 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3E952D7954h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1033699 second address: 10336A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1033808 second address: 1033840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7959h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E952D7958h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10339B5 second address: 10339BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1033B1F second address: 1033B37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7954h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1033B37 second address: 1033B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1033B45 second address: 1033B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1033CB8 second address: 1033CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10341C0 second address: 10341E5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3E952D794Ch 0x00000008 jnc 00007F3E952D794Eh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10341E5 second address: 10341E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103C4EE second address: 103C4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jc 00007F3E952D7946h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103C4FB second address: 103C51E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F3E94929496h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F3E949294A6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103AA09 second address: 103AA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007F3E952D7946h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103AA1B second address: 103AA25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103AA25 second address: 103AA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103AA2B second address: 103AA4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F3E949294A8h 0x0000000d jmp 00007F3E949294A2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103AA4A second address: 103AA50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103AA50 second address: 103AA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103AA54 second address: 103AA62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F3E952D7946h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103ABD0 second address: 103ABD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103ABD4 second address: 103ABDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103ABDD second address: 103ABF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E9492949Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 103B32B second address: 103B352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F3E952D7946h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007F3E952D794Fh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1041214 second address: 104121A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1044CE1 second address: 1044CF4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3E952D7946h 0x00000008 je 00007F3E952D7946h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1044CF4 second address: 1044D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3E94929496h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007F3E94929496h 0x00000016 pop edi 0x00000017 jmp 00007F3E949294A5h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 104FA28 second address: 104FA2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1053374 second address: 1053378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1053378 second address: 105339D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3E952D7946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F3E952D7952h 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 105339D second address: 10533A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10533A3 second address: 10533BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1052D0B second address: 1052D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E9492949Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1057508 second address: 1057530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7954h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jno 00007F3E952D794Eh 0x00000011 push esi 0x00000012 pop esi 0x00000013 jno 00007F3E952D7946h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1057530 second address: 105753A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F3E94929496h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10576B1 second address: 10576C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7954h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10576C9 second address: 10576D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1059F3F second address: 1059F4C instructions: 0x00000000 rdtsc 0x00000002 je 00007F3E952D7946h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1059F4C second address: 1059F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1059F51 second address: 1059F5B instructions: 0x00000000 rdtsc 0x00000002 js 00007F3E952D7960h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 106D961 second address: 106D982 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3E94929496h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E949294A5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1098314 second address: 1098331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7959h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1097E7A second address: 1097E98 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3E949294A4h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 1097E98 second address: 1097E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C0B30 second address: 10C0B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C0B38 second address: 10C0B4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D794Bh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C0F5F second address: 10C0F64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C0F64 second address: 10C0F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C125A second address: 10C125E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C125E second address: 10C1266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C43BA second address: 10C43C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C4658 second address: 10C465C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C4772 second address: 10C47A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3E949294A0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 pushad 0x00000012 pushad 0x00000013 jbe 00007F3E94929496h 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3E9492949Ch 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C47A7 second address: 10C47AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C49AE second address: 10C49BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F3E94929496h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C49BC second address: 10C4A13 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dx, E5DAh 0x0000000e mov edx, eax 0x00000010 push dword ptr [ebp+122D1B7Bh] 0x00000016 pushad 0x00000017 mov dword ptr [ebp+122D2E1Ah], edx 0x0000001d mov dword ptr [ebp+12476E26h], edi 0x00000023 popad 0x00000024 call 00007F3E952D7950h 0x00000029 jmp 00007F3E952D794Ch 0x0000002e pop edx 0x0000002f push DD7669E6h 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F3E952D794Eh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C4A13 second address: 10C4A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: F979B3 second address: F979D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F3E952D7955h 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: F979D5 second address: F979DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C767F second address: 10C7683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 10C7683 second address: 10C7689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49F0762 second address: 49F0790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F3E952D794Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 movzx esi, dx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49F0790 second address: 49F07CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F3E9492949Dh 0x00000012 pop esi 0x00000013 jmp 00007F3E949294A1h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49F07CC second address: 49F07D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C01BB second address: 49C01C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C01C1 second address: 49C01C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C01C5 second address: 49C01EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3E9492949Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3E9492949Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C01EC second address: 49C01FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 call 00007F3E952D794Ch 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C01FF second address: 49C0226 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3E9492949Bh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3E949294A2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0226 second address: 49C0271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3E952D7951h 0x00000009 add si, 6D06h 0x0000000e jmp 00007F3E952D7951h 0x00000013 popfd 0x00000014 movzx eax, di 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3E952D7956h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20EF4 second address: 4A20EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20EF8 second address: 4A20EFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20EFE second address: 4A20F94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, ch 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F3E9492949Fh 0x00000013 xor ax, 64FEh 0x00000018 jmp 00007F3E949294A9h 0x0000001d popfd 0x0000001e push eax 0x0000001f call 00007F3E949294A7h 0x00000024 pop esi 0x00000025 pop ebx 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d pushfd 0x0000002e jmp 00007F3E949294A7h 0x00000033 adc eax, 2CD8146Eh 0x00000039 jmp 00007F3E949294A9h 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20F94 second address: 4A20F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20F9A second address: 4A20F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20F9E second address: 4A20FBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E952D7952h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0DF9 second address: 49B0DFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0DFD second address: 49B0E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E01 second address: 49B0E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E07 second address: 49B0E16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E952D794Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E16 second address: 49B0E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E1A second address: 49B0E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ebx, 7DA2B152h 0x00000011 mov ax, di 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E2F second address: 49B0E50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E50 second address: 49B0E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E54 second address: 49B0E71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E71 second address: 49B0E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E77 second address: 49B0E7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0E7B second address: 49B0EBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F3E952D794Fh 0x0000000f push dword ptr [ebp+04h] 0x00000012 jmp 00007F3E952D7956h 0x00000017 push dword ptr [ebp+0Ch] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3E952D794Ah 0x00000023 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0EBE second address: 49B0EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49B0EC2 second address: 49B0EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20B5B second address: 4A20B61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20B61 second address: 4A20B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20B67 second address: 4A20B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20B6B second address: 4A20BBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c mov ebx, eax 0x0000000e push ecx 0x0000000f call 00007F3E952D7955h 0x00000014 pop esi 0x00000015 pop edx 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007F3E952D794Ch 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F3E952D7957h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20BBA second address: 4A20BC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20BC0 second address: 4A20BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00BE8 second address: 4A00BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00BEC second address: 4A00BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00BF2 second address: 4A00C1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E9492949Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E949294A7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00C1A second address: 4A00C1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00C1F second address: 4A00C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov di, si 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00C2F second address: 4A00C41 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 1405FEFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, eax 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov edi, eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00C41 second address: 4A00C57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, B20Bh 0x0000000a popad 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dh, 3Bh 0x00000012 movzx esi, dx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00C57 second address: 4A00C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A5007F second address: 4A500A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 484F5A97h 0x00000008 mov bh, ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f jmp 00007F3E949294A5h 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30A51 second address: 4A30A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3E952D794Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30A63 second address: 4A30A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30A69 second address: 4A30A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30A6D second address: 4A30A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30A71 second address: 4A30A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, cx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30A81 second address: 4A30ACE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E9492949Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F3E949294A6h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F3E949294A0h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3E9492949Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30ACE second address: 4A30AD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30AD2 second address: 4A30AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0896 second address: 49C08FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3E952D7957h 0x00000008 pushfd 0x00000009 jmp 00007F3E952D7958h 0x0000000e xor si, 5508h 0x00000013 jmp 00007F3E952D794Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e jmp 00007F3E952D7956h 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C08FC second address: 49C0900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0900 second address: 49C0904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0904 second address: 49C090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C090A second address: 49C090F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20C1A second address: 4A20C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20C1E second address: 4A20C24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A3030B second address: 4A3033A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3E9492949Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A3033A second address: 4A3034A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E952D794Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00B17 second address: 4A00B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00B1E second address: 4A00B93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3E952D7953h 0x00000009 sbb ecx, 21CC828Eh 0x0000000f jmp 00007F3E952D7959h 0x00000014 popfd 0x00000015 mov cx, 0197h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F3E952D794Ah 0x00000022 mov ebp, esp 0x00000024 jmp 00007F3E952D7950h 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F3E952D7957h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00B93 second address: 4A00BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E949294A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30C63 second address: 4A30C69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30C69 second address: 4A30C80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E949294A3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A30C80 second address: 4A30CC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7959h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F3E952D794Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F3E952D794Dh 0x0000001b pop ecx 0x0000001c mov ebx, 522DF2D4h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49E08A5 second address: 49E08B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E9492949Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49E08B5 second address: 49E08DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov eax, edx 0x0000000d mov dh, C7h 0x0000000f popad 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3E952D7957h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A409CE second address: 4A40A1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F3E949294A7h 0x00000010 mov ch, C7h 0x00000012 pop ebx 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3E949294A9h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40A1E second address: 4A40A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40A33 second address: 4A40A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E9492949Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40A43 second address: 4A40A59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E952D794Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40A59 second address: 4A40A8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F3E949294A8h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3E9492949Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40A8B second address: 4A40A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40A91 second address: 4A40A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40BD9 second address: 4A40BDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40BDF second address: 4A40BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0001C second address: 4A00043 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3E952D794Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00043 second address: 4A00049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00049 second address: 4A00067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E952D7952h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00067 second address: 4A0006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0006D second address: 4A0012B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b jmp 00007F3E952D7959h 0x00000010 xchg eax, ecx 0x00000011 pushad 0x00000012 jmp 00007F3E952D794Ch 0x00000017 mov ax, 1361h 0x0000001b popad 0x0000001c push eax 0x0000001d jmp 00007F3E952D7957h 0x00000022 xchg eax, ecx 0x00000023 pushad 0x00000024 mov di, cx 0x00000027 pushfd 0x00000028 jmp 00007F3E952D7950h 0x0000002d or eax, 2328DC58h 0x00000033 jmp 00007F3E952D794Bh 0x00000038 popfd 0x00000039 popad 0x0000003a xchg eax, ebx 0x0000003b pushad 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F3E952D7952h 0x00000043 and cx, 66B8h 0x00000048 jmp 00007F3E952D794Bh 0x0000004d popfd 0x0000004e movzx eax, di 0x00000051 popad 0x00000052 mov di, EDE8h 0x00000056 popad 0x00000057 push eax 0x00000058 jmp 00007F3E952D794Eh 0x0000005d xchg eax, ebx 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0012B second address: 4A0012F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0012F second address: 4A00135 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00135 second address: 4A0013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0013B second address: 4A00172 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b pushad 0x0000000c mov esi, 31173BBFh 0x00000011 mov ecx, 180DD4DBh 0x00000016 popad 0x00000017 xchg eax, esi 0x00000018 jmp 00007F3E952D794Eh 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3E952D794Eh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00172 second address: 4A001A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, C784h 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d pushad 0x0000000e mov edi, 564BB4FAh 0x00000013 mov ecx, edi 0x00000015 popad 0x00000016 mov esi, dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3E949294A8h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A001A5 second address: 4A001E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 8214h 0x00000007 mov cx, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pushad 0x0000000f mov ah, E2h 0x00000011 movsx edx, cx 0x00000014 popad 0x00000015 mov dword ptr [esp], edi 0x00000018 jmp 00007F3E952D7956h 0x0000001d test esi, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F3E952D794Ah 0x00000028 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A001E3 second address: 4A001E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A001E9 second address: 4A0020D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3E952D794Ch 0x00000009 sbb esi, 66B06F58h 0x0000000f jmp 00007F3E952D794Bh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0020D second address: 4A0024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007F3F06E47897h 0x0000000d jmp 00007F3E949294A4h 0x00000012 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F3E949294A7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0024E second address: 4A00266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E952D7954h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00266 second address: 4A0026A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0026A second address: 4A00320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F3F077F5CFFh 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F3E952D794Dh 0x00000015 add ecx, 2CD945B6h 0x0000001b jmp 00007F3E952D7951h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F3E952D7950h 0x00000027 adc esi, 2524B8D8h 0x0000002d jmp 00007F3E952D794Bh 0x00000032 popfd 0x00000033 popad 0x00000034 mov edx, dword ptr [esi+44h] 0x00000037 pushad 0x00000038 pushad 0x00000039 mov bx, si 0x0000003c mov si, C0DDh 0x00000040 popad 0x00000041 pushfd 0x00000042 jmp 00007F3E952D794Ah 0x00000047 adc ax, 8338h 0x0000004c jmp 00007F3E952D794Bh 0x00000051 popfd 0x00000052 popad 0x00000053 or edx, dword ptr [ebp+0Ch] 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushad 0x0000005a popad 0x0000005b pushfd 0x0000005c jmp 00007F3E952D7951h 0x00000061 sbb esi, 7A3B89D6h 0x00000067 jmp 00007F3E952D7951h 0x0000006c popfd 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00320 second address: 4A00330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E9492949Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00330 second address: 4A00334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00334 second address: 4A0034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3E9492949Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0034E second address: 4A0037A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F3F077F5C71h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3E952D7955h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A0037A second address: 4A00380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00380 second address: 4A00384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00384 second address: 4A00388 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00388 second address: 4A003AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c jmp 00007F3E952D794Fh 0x00000011 jne 00007F3F077F5C44h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A003AF second address: 4A003B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A003B3 second address: 4A003CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7957h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A003CE second address: 4A003E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E949294A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A003E6 second address: 4A003EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20040 second address: 4A2004F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E9492949Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A2004F second address: 4A2008D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7959h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F3E952D794Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3E952D794Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A2008D second address: 4A20093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20093 second address: 4A20099 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20099 second address: 4A20105 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e pushad 0x0000000f mov eax, 1757850Dh 0x00000014 mov ecx, 02846509h 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F3E949294A1h 0x00000024 sbb si, 0496h 0x00000029 jmp 00007F3E949294A1h 0x0000002e popfd 0x0000002f call 00007F3E949294A0h 0x00000034 pop esi 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20105 second address: 4A2010B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A2010B second address: 4A20222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E9492949Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F3E9492949Bh 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F3E949294A6h 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F3E9492949Eh 0x0000001f or ax, 7978h 0x00000024 jmp 00007F3E9492949Bh 0x00000029 popfd 0x0000002a mov bx, cx 0x0000002d popad 0x0000002e push eax 0x0000002f jmp 00007F3E949294A5h 0x00000034 xchg eax, esi 0x00000035 pushad 0x00000036 call 00007F3E9492949Ch 0x0000003b pushfd 0x0000003c jmp 00007F3E949294A2h 0x00000041 xor esi, 08765E38h 0x00000047 jmp 00007F3E9492949Bh 0x0000004c popfd 0x0000004d pop ecx 0x0000004e jmp 00007F3E949294A9h 0x00000053 popad 0x00000054 mov esi, dword ptr [ebp+08h] 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a pushfd 0x0000005b jmp 00007F3E949294A3h 0x00000060 adc cl, 0000005Eh 0x00000063 jmp 00007F3E949294A9h 0x00000068 popfd 0x00000069 pushfd 0x0000006a jmp 00007F3E949294A0h 0x0000006f add ax, 5D58h 0x00000074 jmp 00007F3E9492949Bh 0x00000079 popfd 0x0000007a popad 0x0000007b rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20222 second address: 4A20281 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7959h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007F3E952D7957h 0x00000010 test esi, esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F3E952D794Bh 0x0000001a jmp 00007F3E952D7958h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20281 second address: 4A202B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 mov si, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F3F06E1F597h 0x00000012 jmp 00007F3E9492949Fh 0x00000017 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001e pushad 0x0000001f mov di, si 0x00000022 mov bx, cx 0x00000025 popad 0x00000026 mov ecx, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A202B9 second address: 4A202BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A202BD second address: 4A202C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A202C3 second address: 4A20309 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov si, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F3F077CDA1Ah 0x00000012 jmp 00007F3E952D794Bh 0x00000017 test byte ptr [76FA6968h], 00000002h 0x0000001e jmp 00007F3E952D7956h 0x00000023 jne 00007F3F077CD9FFh 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c push ebx 0x0000002d pop ecx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20309 second address: 4A20400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 3286h 0x00000007 call 00007F3E949294A7h 0x0000000c pop esi 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov edx, dword ptr [ebp+0Ch] 0x00000013 jmp 00007F3E9492949Fh 0x00000018 xchg eax, ebx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F3E949294A4h 0x00000020 or ch, FFFFFF88h 0x00000023 jmp 00007F3E9492949Bh 0x00000028 popfd 0x00000029 pushfd 0x0000002a jmp 00007F3E949294A8h 0x0000002f or al, FFFFFFE8h 0x00000032 jmp 00007F3E9492949Bh 0x00000037 popfd 0x00000038 popad 0x00000039 push eax 0x0000003a jmp 00007F3E949294A9h 0x0000003f xchg eax, ebx 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007F3E9492949Ch 0x00000047 or ecx, 68BA9F78h 0x0000004d jmp 00007F3E9492949Bh 0x00000052 popfd 0x00000053 mov ebx, esi 0x00000055 popad 0x00000056 xchg eax, ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a pushfd 0x0000005b jmp 00007F3E949294A7h 0x00000060 jmp 00007F3E949294A3h 0x00000065 popfd 0x00000066 mov ecx, 32E1E37Fh 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20400 second address: 4A2042A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7955h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, ECB2h 0x0000000f mov cx, bx 0x00000012 popad 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A2042A second address: 4A2042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A2042E second address: 4A20434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A2048E second address: 4A204A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E949294A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A204A8 second address: 4A204F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F3E952D7957h 0x0000000e pop ebx 0x0000000f jmp 00007F3E952D7956h 0x00000014 mov esp, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 call 00007F3E952D794Dh 0x0000001e pop esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A10087 second address: 4A10097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E9492949Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A61A57 second address: 4A61A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A61A5B second address: 4A61A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A61A61 second address: 4A61B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, 9964h 0x0000000f movsx edx, cx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F3E952D7954h 0x00000019 mov ebp, esp 0x0000001b jmp 00007F3E952D7950h 0x00000020 push 0000007Fh 0x00000022 pushad 0x00000023 push ecx 0x00000024 movsx edi, cx 0x00000027 pop eax 0x00000028 pushfd 0x00000029 jmp 00007F3E952D794Fh 0x0000002e sbb ecx, 25C7758Eh 0x00000034 jmp 00007F3E952D7959h 0x00000039 popfd 0x0000003a popad 0x0000003b push 00000001h 0x0000003d jmp 00007F3E952D794Eh 0x00000042 push dword ptr [ebp+08h] 0x00000045 pushad 0x00000046 push esi 0x00000047 pushfd 0x00000048 jmp 00007F3E952D794Dh 0x0000004d sub ecx, 5832B876h 0x00000053 jmp 00007F3E952D7951h 0x00000058 popfd 0x00000059 pop eax 0x0000005a push eax 0x0000005b push edx 0x0000005c mov edi, 474BD3B2h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A61B83 second address: 4A61B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A61B87 second address: 4A61B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A61B8B second address: 4A61B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A61B91 second address: 4A61A57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call ebx 0x00000012 mov edi, edi 0x00000014 pushad 0x00000015 jmp 00007F3E952D794Eh 0x0000001a jmp 00007F3E952D7952h 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F3E952D794Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: FDD8F8 second address: FDD8FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C048F second address: 49C0495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0495 second address: 49C049B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C049B second address: 49C049F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C049F second address: 49C04A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C04A3 second address: 49C04C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F3E952D794Dh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3E952D794Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C04C9 second address: 49C04CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C04CF second address: 49C04D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C04D3 second address: 49C0552 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F3E949294A6h 0x00000012 xchg eax, ecx 0x00000013 jmp 00007F3E949294A0h 0x00000018 push eax 0x00000019 jmp 00007F3E9492949Bh 0x0000001e xchg eax, ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F3E9492949Bh 0x00000028 adc ch, 0000004Eh 0x0000002b jmp 00007F3E949294A9h 0x00000030 popfd 0x00000031 mov di, si 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0552 second address: 49C0558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0558 second address: 49C0583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E9492949Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [ebp-04h], 00000000h 0x0000000f pushad 0x00000010 mov dx, ax 0x00000013 mov esi, 03A7EE37h 0x00000018 popad 0x00000019 lea eax, dword ptr [ebp-04h] 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0583 second address: 49C0587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C0587 second address: 49C05D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F3E949294A0h 0x0000000b mov bh, cl 0x0000000d pop edx 0x0000000e popad 0x0000000f nop 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F3E949294A6h 0x00000019 jmp 00007F3E949294A5h 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C05D2 second address: 49C05EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7950h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C05EA second address: 49C0602 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E9492949Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C068D second address: 49C069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov ecx, edi 0x00000007 popad 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C069D second address: 49C06A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C06A1 second address: 49C06B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7950h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C06B5 second address: 49C06C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E9492949Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C06C7 second address: 49C06EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F3F0624331Bh 0x00000011 pushad 0x00000012 mov ecx, 11E17E3Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 mov ax, F0EDh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49C06EA second address: 49C0773 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3E9492949Ah 0x00000008 add si, 5888h 0x0000000d jmp 00007F3E9492949Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov eax, dword ptr [ebp-04h] 0x00000019 pushad 0x0000001a mov cx, B61Bh 0x0000001e pushfd 0x0000001f jmp 00007F3E949294A0h 0x00000024 jmp 00007F3E949294A5h 0x00000029 popfd 0x0000002a popad 0x0000002b leave 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushad 0x00000030 popad 0x00000031 pushfd 0x00000032 jmp 00007F3E949294A9h 0x00000037 adc ax, 4FB6h 0x0000003c jmp 00007F3E949294A1h 0x00000041 popfd 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49A0BF4 second address: 49A0BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49A0BF8 second address: 49A0BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 49A0BFE second address: 49A0C44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 movzx eax, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jmp 00007F3E952D7950h 0x00000012 mov dword ptr [esp], ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007F3E952D794Ch 0x0000001e jmp 00007F3E952D7955h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A500F6 second address: 4A500FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A500FC second address: 4A50102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A50102 second address: 4A50106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20DE5 second address: 4A20E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E952D7957h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20E11 second address: 4A20E35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20E35 second address: 4A20E39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20E39 second address: 4A20E3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20E3F second address: 4A20E45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20E45 second address: 4A20E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20E49 second address: 4A20E7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F3E952D7953h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F3E952D7955h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A20E7E second address: 4A20EBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3E949294A7h 0x00000009 add eax, 400004DEh 0x0000000f jmp 00007F3E949294A9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00DBA second address: 4A00DC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00DC0 second address: 4A00DC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A00DC4 second address: 4A00DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F3E952D794Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 mov bx, ax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A801CB second address: 4A801F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E9492949Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A801F4 second address: 4A801FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A801FA second address: 4A80250 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007F3E9492949Bh 0x00000010 pop ecx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F3E9492949Fh 0x00000018 sub esi, 44097BCEh 0x0000001e jmp 00007F3E949294A9h 0x00000023 popfd 0x00000024 mov ax, F9D7h 0x00000028 popad 0x00000029 popad 0x0000002a xchg eax, ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov esi, edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A80250 second address: 4A80255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A80255 second address: 4A80285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E9492949Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bl, 6Dh 0x00000010 jmp 00007F3E949294A6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A80285 second address: 4A8029A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov dx, F3F0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push dword ptr [ebp+0Ch] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov bh, 22h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A8029A second address: 4A802C6 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F3E9492949Ch 0x00000008 or cx, 0C38h 0x0000000d jmp 00007F3E9492949Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A802C6 second address: 4A802CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A802CA second address: 4A802D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A802D0 second address: 4A80323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3E952D794Fh 0x00000009 jmp 00007F3E952D7953h 0x0000000e popfd 0x0000000f mov ax, CF3Fh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007F3E952D7949h 0x0000001b pushad 0x0000001c movzx eax, di 0x0000001f push edi 0x00000020 pushad 0x00000021 popad 0x00000022 pop esi 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F3E952D794Eh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A80323 second address: 4A80327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A80327 second address: 4A8032D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A8032D second address: 4A8033E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E9492949Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A8033E second address: 4A80387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7951h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F3E952D7951h 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007F3E952D7951h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A80387 second address: 4A8038D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A803C2 second address: 4A803C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A803C6 second address: 4A803CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A803CC second address: 4A803DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3E952D794Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A803DD second address: 4A8040C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b movzx eax, al 0x0000000e jmp 00007F3E9492949Eh 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A8040C second address: 4A80410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A80410 second address: 4A80416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A80416 second address: 4A8041C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A8041C second address: 4A80420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A403F6 second address: 4A403FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A403FC second address: 4A40430 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e mov di, 9232h 0x00000012 mov edx, 38019F7Eh 0x00000017 popad 0x00000018 movsx edi, si 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop ecx 0x00000022 push ebx 0x00000023 pop eax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40430 second address: 4A40436 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40436 second address: 4A4043A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A4043A second address: 4A40464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F3E952D7950h 0x00000012 and esp, FFFFFFF0h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40464 second address: 4A4049D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F3E949294A3h 0x0000000a adc ecx, 045F6EEEh 0x00000010 jmp 00007F3E949294A9h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A4049D second address: 4A404A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A404A3 second address: 4A404C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 44h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F3E949294A2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A404C2 second address: 4A404F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F3E952D7952h 0x00000013 add al, FFFFFFF8h 0x00000016 jmp 00007F3E952D794Bh 0x0000001b popfd 0x0000001c rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A404F7 second address: 4A4051E instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, ebx 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3E949294A8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A4051E second address: 4A4052D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D794Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A4052D second address: 4A4055A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3E9492949Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A4055A second address: 4A40599 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 movzx esi, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007F3E952D7950h 0x00000012 mov dword ptr [esp], esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushfd 0x00000019 jmp 00007F3E952D794Ch 0x0000001e or ch, FFFFFFA8h 0x00000021 jmp 00007F3E952D794Bh 0x00000026 popfd 0x00000027 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40599 second address: 4A405E1 instructions: 0x00000000 rdtsc 0x00000002 call 00007F3E949294A8h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a movsx edx, si 0x0000000d popad 0x0000000e xchg eax, edi 0x0000000f jmp 00007F3E9492949Ah 0x00000014 push eax 0x00000015 pushad 0x00000016 mov bh, 79h 0x00000018 mov dx, ax 0x0000001b popad 0x0000001c xchg eax, edi 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F3E949294A0h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A405E1 second address: 4A4067B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7952h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c mov edi, dword ptr [ebp+08h] 0x0000000f pushad 0x00000010 jmp 00007F3E952D7959h 0x00000015 pushfd 0x00000016 jmp 00007F3E952D7950h 0x0000001b sbb eax, 67857158h 0x00000021 jmp 00007F3E952D794Bh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [esp+24h], 00000000h 0x00000030 pushad 0x00000031 mov dx, si 0x00000034 jmp 00007F3E952D7950h 0x00000039 popad 0x0000003a lock bts dword ptr [edi], 00000000h 0x0000003f jmp 00007F3E952D7950h 0x00000044 jc 00007F3F0775970Ch 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d push ebx 0x0000004e pop esi 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A4067B second address: 4A40697 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E949294A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe RDTSC instruction interceptor: First address: 4A40697 second address: 4A406C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3E952D7953h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d call 00007F3E952D794Bh 0x00000012 pop ecx 0x00000013 popad 0x00000014 popad 0x00000015 pop esi 0x00000016 pushad 0x00000017 pushad 0x00000018 mov ax, dx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Special instruction interceptor: First address: E36A4C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Special instruction interceptor: First address: E3690C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Special instruction interceptor: First address: FF7FDC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Special instruction interceptor: First address: 104A3D6 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1056A4C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 105690C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 1217FDC instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 126A3D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1186A4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 118690C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 1347FDC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 139A3D6 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_04990CCA rdtsc 0_2_04990CCA
Found decision node followed by non-executed suspicious APIs
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe TID: 6696 Thread sleep count: 96 > 30 Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe TID: 5824 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4524 Thread sleep count: 103 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5660 Thread sleep count: 107 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7324 Thread sleep count: 56 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D633B0 FindFirstFileA,FindNextFileA, 0_2_00D633B0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D83B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00D83B20
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CD1F8C FindFirstFileExW, 0_2_00CD1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F833B0 FindFirstFileA,FindNextFileA, 6_2_00F833B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FA3B20 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_00FA3B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00EF1F8C FindFirstFileExW, 6_2_00EF1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F833B0 FindFirstFileA,FindNextFileA,FindClose, 7_2_00F833B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FA3B20 FindFirstFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 7_2_00FA3B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00EF1F8C FindFirstFileExW, 7_2_00EF1F8C
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D7D2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00D7D2B0
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_efa6ea435623776204e2ff3e8ee4f891ec76e69_2d68038f_52783177-a43b-47d0-addd-1377208c22e4\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OUZXNOqKXg.exe_5390e549b8f70678a22be0d1b2bb235f301267_520e7665_01f7457b-adcf-4fbc-ae7c-da9e5bdd937b\
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Dk&Ven_VMware&P
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B07000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(c
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ses_1
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696428
Source: MPGPH131.exe, 00000007.00000002.2495829524.00000000006EA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.12.dr Binary or memory string: vmci.sys
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ebrokers.co.inVMware20,11696428655d
Source: Amcache.hve.12.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}CCr
Source: RageMP131.exe, 00000008.00000002.2351837318.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000)
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \?\scsi_vmwaretual_dif219&0&3f563070-94f2-b8b}arq
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2505470223.00000000011D2000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2352860524.0000000001302000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000002.2420492975.0000000001302000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual USB Mouse
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 0000000D.00000003.2323284055.0000000000C08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Amcache.hve.12.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Amcache.hve.12.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW4.#
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RageMP131.exe, 00000008.00000002.2351837318.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b})
Source: MPGPH131.exe, 00000007.00000002.2495829524.000000000074D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9E83B3C8
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9E83B3C8T<
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s.portal.azure.comVMware20,11696428655
Source: Amcache.hve.12.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.12.dr Binary or memory string: vmci.syshbin`
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.12.dr Binary or memory string: \driver\vmci,\driver\pci
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000B90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&R
Source: OUZXNOqKXg.exe, 00000000.00000002.2505288187.0000000000FB2000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2505266709.00000000011D2000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.2505470223.00000000011D2000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2352860524.0000000001302000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000002.2420492975.0000000001302000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000006.00000002.2514884667.0000000007DE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696428
Source: Amcache.hve.12.dr Binary or memory string: VMware
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,1169642865
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: RageMP131.exe, 00000008.00000003.2274651037.0000000000E00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}(
Source: Amcache.hve.12.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000006.00000003.2144501333.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11
Source: OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000658000.00000004.00000020.00020000.00000000.sdmp, OUZXNOqKXg.exe, 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2495829524.000000000073B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000DE8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2351837318.0000000000E35000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2419611346.0000000000C22000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000007.00000003.2275309335.0000000007925000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}7
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RageMP131.exe, 00000008.00000002.2351837318.0000000000DFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}5
Source: RageMP131.exe, 0000000D.00000003.2323284055.0000000000C06000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1
Source: Amcache.hve.12.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\signons.sqlite
Source: RageMP131.exe, 0000000D.00000002.2419611346.0000000000C00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,1169642865
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2276669635.00000000007D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}`
Source: Amcache.hve.12.dr Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: MPGPH131.exe, 00000006.00000003.2273104760.0000000007A19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: Amcache.hve.12.dr Binary or memory string: VMware VMCI Bus Device
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.12.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 00000006.00000003.2279686406.00000000079CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.je,y.je,z.je,a.mr,b.mr,c.mr,d.mr,e.mr,f.mr,g.mr,h.mr,i.mr,j.mr,k.mr,l.mr,m.mr,n.mr,o.mr,p.mr,q.mr,r.mr,s.
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.12.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _vmware
Source: Amcache.hve.12.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.12.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: RpnqHn0hU1iAWeb Data.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.12.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_04A70114 Start: 04A70164 End: 04A7012B 0_2_04A70114
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_04A70874 Start: 04A70D20 End: 04A70848 0_2_04A70874
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04D60901 Start: 04D60E6C End: 04D6091D 6_2_04D60901
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04D80AF3 Start: 04D80BCA End: 04D80B0C 6_2_04D80AF3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04DF065A Start: 04DF08D5 End: 04DF0694 6_2_04DF065A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_04A104DD Start: 04A106D5 End: 04A104FC 7_2_04A104DD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_04A106DC Start: 04A107AA End: 04A1075C 7_2_04A106DC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_04A50178 Start: 04A50208 End: 04A50204 7_2_04A50178
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Open window title or class name: ollydbg
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_04990CCA rdtsc 0_2_04990CCA
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D64130 mov eax, dword ptr fs:[00000030h] 0_2_00D64130
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D31A60 mov eax, dword ptr fs:[00000030h] 0_2_00D31A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F84130 mov eax, dword ptr fs:[00000030h] 6_2_00F84130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F51A60 mov eax, dword ptr fs:[00000030h] 6_2_00F51A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F84130 mov eax, dword ptr fs:[00000030h] 7_2_00F84130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F51A60 mov eax, dword ptr fs:[00000030h] 7_2_00F51A60
Source: OUZXNOqKXg.exe, OUZXNOqKXg.exe, 00000000.00000002.2505288187.0000000000FB2000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, 0000000D.00000002.2420492975.0000000001302000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: g2Program Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00CD360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00CD360D
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Code function: 0_2_00D7D2B0 RegOpenKeyExA,RegQueryValueExA,RegOpenKeyExA,RegQueryValueExA,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,RegOpenKeyExA,RegEnumKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA, 0_2_00D7D2B0
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.12.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000006.00000003.2279686406.0000000007A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2276710480.0000000007927000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2513672666.00000000074E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2513399708.000000000763D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2276646038.000000000791C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2514314393.0000000007A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2514580399.0000000007928000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OUZXNOqKXg.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 1048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\omSBwUIH4pet5KxkFSj3Ooa.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\HWrdWlyArR5ylxzokfJFSLT.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: OUZXNOqKXg.exe, 00000000.00000002.2513399708.0000000007632000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: MPGPH131.exe, 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Livel
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\OUZXNOqKXg.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.2495907015.0000000000B36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2495829524.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2496012876.0000000000697000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OUZXNOqKXg.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 1048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6044, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000006.00000003.2279686406.0000000007A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2276710480.0000000007927000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2513672666.00000000074E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2513399708.000000000763D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2513399708.00000000075D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2276646038.000000000791C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2514314393.0000000007A05000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2514580399.0000000007928000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OUZXNOqKXg.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 1048, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7320, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7776, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\omSBwUIH4pet5KxkFSj3Ooa.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\HWrdWlyArR5ylxzokfJFSLT.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435285 Sample: OUZXNOqKXg.exe Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 44 ipinfo.io 2->44 46 db-ip.com 2->46 60 Snort IDS alert for network traffic 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Antivirus detection for URL or domain 2->64 66 5 other signatures 2->66 8 OUZXNOqKXg.exe 1 63 2->8         started        13 MPGPH131.exe 52 2->13         started        15 RageMP131.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 48 147.45.47.93, 49705, 49708, 49709 FREE-NET-ASFREEnetEU Russian Federation 8->48 50 ipinfo.io 34.117.186.192, 443, 49706, 49710 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->50 52 db-ip.com 104.26.5.15, 443, 49707, 49712 CLOUDFLARENETUS United States 8->52 36 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->36 dropped 38 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->38 dropped 40 C:\Users\user\...\omSBwUIH4pet5KxkFSj3Ooa.zip, Zip 8->40 dropped 68 Detected unpacking (changes PE section rights) 8->68 70 Tries to steal Mail credentials (via file / registry access) 8->70 72 Found many strings related to Crypto-Wallets (likely being stolen) 8->72 90 3 other signatures 8->90 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        74 Multi AV Scanner detection for dropped file 13->74 76 Machine Learning detection for dropped file 13->76 78 Found stalling execution ending in API Sleep call 13->78 25 WerFault.exe 13->25         started        80 Tries to detect sandboxes and other dynamic analysis tools (window names) 15->80 82 Tries to evade debugger and weak emulator (self modifying code) 15->82 84 Hides threads from debuggers 15->84 54 192.168.2.5, 443, 49317, 49703 unknown unknown 17->54 56 239.255.255.250 unknown Reserved 17->56 42 C:\Users\user\...\HWrdWlyArR5ylxzokfJFSLT.zip, Zip 17->42 dropped 86 Tries to harvest and steal browser information (history, passwords, etc) 17->86 88 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->88 27 chrome.exe 17->27         started        30 WerFault.exe 17->30         started        file6 signatures7 process8 dnsIp9 32 conhost.exe 19->32         started        34 conhost.exe 21->34         started        58 www.google.com 142.251.40.100, 443, 49746, 49748 GOOGLEUS United States 27->58 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.251.40.100
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
www.google.com 142.251.40.100 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGJzozbEGIjCxTehgS7Xj9JABG9mCXW98VQ5yfDr7OKui0mBNEQv43K_hnjR_IbcTaqS2cHi5QPgyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
    		high
    https://ipinfo.io/widget/demo/191.96.150.225 false
      		high
      https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
        		high
        https://www.google.com/async/newtab_promos false
          		high
          https://db-ip.com/demo/home.php?s=191.96.150.225 false
            		high
            https://www.google.com/async/ddljson?async=ntp:2 false
              		high
              https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGJzozbEGIjBA57m2OnHq4MuqM1LINkAHVsFdZO-nSsIbTZhoH_tZk0bZIq1X5_t8JY-lJBTRSsoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                		high
                https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                  		high