Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:	random.exe
Analysis ID:	1604024
MD5:	f662cb18e04cc62863751b672570bd7d
SHA1:	1630d460c4ca5061d1d10ecdfd9a3c7d85b30896
SHA256:	1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2
Tags:	exeRedLineStealeruser-aachum
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RedLine Stealer

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

random.exe (PID: 2724 cmdline: "C:\Users\user\Desktop\random.exe" MD5: F662CB18E04CC62863751B672570BD7D)

conhost.exe (PID: 816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
Process Memory Space: random.exe PID: 2724	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: random.exe PID: 2724	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: random.exe PID: 2724	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1de724:$a4: get_ScannedWallets 0x6fe1da:$a4: get_ScannedWallets 0x1dd5cb:$a5: get_ScanTelegram 0x6fd081:$a5: get_ScanTelegram 0x1de3ad:$a6: get_ScanGeckoBrowsersPaths 0x6fde63:$a6: get_ScanGeckoBrowsersPaths 0x1dc25e:$a7: <Processes>k__BackingField 0x6fbd14:$a7: <Processes>k__BackingField 0x1d9791:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x6f9247:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1dbb92:$a9: <ScanFTP>k__BackingField 0x6fb648:$a9: <ScanFTP>k__BackingField
Click to see the 5 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.random.exe.150000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.random.exe.150000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
5.2.random.exe.150000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x137ca:$a4: get_ScannedWallets 0x12628:$a5: get_ScanTelegram 0x1344e:$a6: get_ScanGeckoBrowsersPaths 0x1126a:$a7: <Processes>k__BackingField 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10b9e:$a9: <ScanFTP>k__BackingField
5.2.random.exe.150000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x11bcb:$gen01: ChromeGetRoamingName 0x11bff:$gen02: ChromeGetLocalName 0x11c28:$gen03: get_UserDomainName 0x13e67:$gen04: get_encrypted_key 0x133e3:$gen05: browserPaths 0x1372b:$gen06: GetBrowsers 0x13061:$gen07: get_InstalledInputLanguages 0x1084f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9318:$spe6: windows-1251, CommandLine: 0x145bd:$spe9: wallet 0xf00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xf107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xf098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xf0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
5.2.random.exe.150000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1068a:$u7: RunPE 0x13d41:$u8: DownloadAndEx 0x9330:$pat14: , CommandLine: 0x13279:$v2_1: ListOfProcesses 0x1088b:$v2_2: get_ScanVPN 0x1092e:$v2_2: get_ScanFTP 0x1161e:$v2_2: get_ScanDiscord 0x1260c:$v2_2: get_ScanSteam 0x12628:$v2_2: get_ScanTelegram 0x126ce:$v2_2: get_ScanScreen 0x13416:$v2_2: get_ScanChromeBrowsersPaths 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths 0x13709:$v2_2: get_ScanBrowsers 0x137ca:$v2_2: get_ScannedWallets 0x137f0:$v2_2: get_ScanWallets 0x13810:$v2_3: GetArguments 0x11ed9:$v2_4: VerifyUpdate 0x167ea:$v2_4: VerifyUpdate 0x13bca:$v2_5: VerifyScanRequest 0x132c6:$v2_6: GetUpdates 0x167cb:$v2_6: GetUpdates

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T19:03:09.400494+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.7	49721	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T19:03:16.757705+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.7	49721	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T19:03:03.265218+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.7	49721	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T19:03:09.765091+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.7	49721	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T19:03:21.568264+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.7	61399	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T19:03:17.384315+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.7	61370	103.84.89.222	33791	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-31T19:03:03.265218+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.7	49721	103.84.89.222	33791	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: random.exe

Avira: detected

Found malware configuration

Source: 5.2.random.exe.150000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: random.exe

ReversingLabs: Detection: 50%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: random.exe

Joe Sandbox ML: detected

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.75.172:443 -> 192.168.2.7:49774 version: TLS 1.0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.7:49721 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.7:49721 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.7:61370 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.7:49721
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.7:49721 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.7:61399 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.7:49721

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 103.84.89.222:33791

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 61370 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 61370
Source: unknown	Network traffic detected: HTTP traffic on port 61399 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 61399

Source: global traffic

TCP traffic: 192.168.2.7:49721 -> 103.84.89.222:33791

Source: global traffic

TCP traffic: 192.168.2.7:61334 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 103.84.89.222:33791Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 103.84.89.222:33791Content-Length: 1089013Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 103.84.89.222:33791Content-Length: 1089005Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 172.67.75.172 172.67.75.172

Source: Joe Sandbox View

ASN Name: AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 172.67.75.172:443 -> 192.168.2.7:49774 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222
Source: unknown	TCP traffic detected without corresponding DNS query: 103.84.89.222

Source: global traffic

HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 103.84.89.222:33791Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:3
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791/
Source: random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791t-
Source: random.exe, 00000005.00000003.1620184621.0000000008917000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000005.00000003.1502569246.0000000008916000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000005.00000003.1502531833.0000000008902000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000005.00000003.1620152408.0000000008917000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000005.00000003.1620056862.0000000008917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: random.exe, 00000005.00000002.1624839015.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: random.exe, 00000005.00000002.1624839015.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: random.exe, 00000005.00000002.1624839015.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: random.exe, 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: random.exe, 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: random.exe	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE
Source: random.exe, random.exe, 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, random.exe, 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: random.exe	String found in binary or memory: https://api.ipify.orgcookies//setti
Source: random.exe, random.exe, 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, random.exe, 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: random.exe, random.exe, 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, random.exe, 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: random.exe PID: 2724, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

PE file contains section with special chars

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\random.exe	Code function: 5_2_04B3E7B0	5_2_04B3E7B0
Source: C:\Users\user\Desktop\random.exe	Code function: 5_2_04B3DC90	5_2_04B3DC90
Source: C:\Users\user\Desktop\random.exe	Code function: 5_2_082CCD20	5_2_082CCD20
Source: C:\Users\user\Desktop\random.exe	Code function: 5_2_082CDD00	5_2_082CDD00
Source: C:\Users\user\Desktop\random.exe	Code function: 5_2_082C1210	5_2_082C1210
Source: C:\Users\user\Desktop\random.exe	Code function: 5_2_082C4468	5_2_082C4468
Source: C:\Users\user\Desktop\random.exe	Code function: 5_2_082C3460	5_2_082C3460
Source: C:\Users\user\Desktop\random.exe	Code function: 5_2_082C9628	5_2_082C9628

Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\000004B0\\OriginalFilename vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\080904B0\\OriginalFilename vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs random.exe
Source: random.exe, 00000005.00000002.1621275572.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs random.exe
Source: random.exe, 00000005.00000002.1623533789.0000000004920000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs random.exe
Source: random.exe, 00000005.00000002.1620414780.000000000016A000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs random.exe
Source: random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs random.exe
Source: random.exe	Binary or memory string: OriginalFilenameImplosions.exe4 vs random.exe

Source: random.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: random.exe PID: 2724, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: random.exe	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: random.exe	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612

Source: random.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/117@1/2

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Yandex

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:816:120:WilError_03

Source: C:\Users\user\Desktop\random.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7147.tmp

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\random.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: random.exe, 00000005.00000002.1624839015.0000000005212000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000005287000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.000000000519D000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1519599759.0000000009495000.00000004.00000020.00020000.00000000.sdmp, tmpBE56.tmp.5.dr, tmp90DC.tmp.5.dr, tmp4401.tmp.5.dr, tmpEB83.tmp.5.dr, tmp4424.tmp.5.dr, tmp4411.tmp.5.dr, tmpBE36.tmp.5.dr, tmp90AC.tmp.5.dr, tmp4434.tmp.5.dr, tmp4412.tmp.5.dr, tmpBE86.tmp.5.dr, tmp4423.tmp.5.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: random.exe

ReversingLabs: Detection: 50%

Source: random.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: random.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: unknown	Process created: C:\Users\user\Desktop\random.exe "C:\Users\user\Desktop\random.exe"
Source: C:\Users\user\Desktop\random.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\random.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: tmpA535.tmp.5.dr

LNK file: ..\..\..\..\..\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: random.exe

Static file information: File size 1805824 > 1048576

Source: random.exe

Static PE information: Raw size of efrqcofg is bigger than: 0x100000 < 0x1a9c00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\random.exe

Unpacked PE file: 5.2.random.exe.150000.0.unpack :EW;.rsrc:W;.idata :W; :EW;efrqcofg:EW;yqrfybbc:EW;.taggant:EW; vs :ER;.rsrc:W;

Source: random.exe

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random.exe

Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc

Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: .idata
Source: random.exe	Static PE information: section name:
Source: random.exe	Static PE information: section name: efrqcofg
Source: random.exe	Static PE information: section name: yqrfybbc
Source: random.exe	Static PE information: section name: .taggant

Source: random.exe	Static PE information: section name: entropy: 7.966652808119376
Source: random.exe	Static PE information: section name: efrqcofg entropy: 7.9532683612246755

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window searched: window name: Regmonclass	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 61370 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 61370
Source: unknown	Network traffic detected: HTTP traffic on port 61399 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 61399

Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 1718E3 second address: 1718E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F4A41 second address: 2F4A4B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FABD07C4356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F3B25 second address: 2F3B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F3CE7 second address: 2F3D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABD07C4367h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F3D02 second address: 2F3D19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F5Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FABD07C1F56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F40FE second address: 2F4112 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FABD07C4356h 0x00000008 jbe 00007FABD07C4356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F4112 second address: 2F4131 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FABD07C1F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jng 00007FABD07C1F72h 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FABD07C1F56h 0x00000019 jnc 00007FABD07C1F56h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F428C second address: 2F4292 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F4292 second address: 2F4297 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F69B9 second address: 2F69BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F69BD second address: 1718E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 1F50A920h 0x0000000e and edx, dword ptr [ebp+122D2A59h] 0x00000014 push dword ptr [ebp+122D0B4Dh] 0x0000001a mov esi, dword ptr [ebp+122D27D1h] 0x00000020 call dword ptr [ebp+122D1B6Eh] 0x00000026 pushad 0x00000027 jmp 00007FABD07C1F66h 0x0000002c xor eax, eax 0x0000002e stc 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 jp 00007FABD07C1F57h 0x00000039 mov dword ptr [ebp+122D2805h], eax 0x0000003f add dword ptr [ebp+122D1812h], esi 0x00000045 mov esi, 0000003Ch 0x0000004a cmc 0x0000004b add esi, dword ptr [esp+24h] 0x0000004f jl 00007FABD07C1F6Ch 0x00000055 jno 00007FABD07C1F66h 0x0000005b jbe 00007FABD07C1F62h 0x00000061 jnp 00007FABD07C1F5Ch 0x00000067 mov dword ptr [ebp+122D1812h], esi 0x0000006d lodsw 0x0000006f xor dword ptr [ebp+122D19E6h], edi 0x00000075 jmp 00007FABD07C1F61h 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e sub dword ptr [ebp+122D1812h], ebx 0x00000084 jmp 00007FABD07C1F66h 0x00000089 mov ebx, dword ptr [esp+24h] 0x0000008d cld 0x0000008e push eax 0x0000008f push eax 0x00000090 push edx 0x00000091 push eax 0x00000092 push edx 0x00000093 jmp 00007FABD07C1F69h 0x00000098 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6A4F second address: 2F6A53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6A53 second address: 2F6AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 07A82700h 0x0000000e mov dword ptr [ebp+122D19F5h], ecx 0x00000014 push 00000003h 0x00000016 add dword ptr [ebp+122D1F5Ch], esi 0x0000001c push 00000000h 0x0000001e sub dword ptr [ebp+122D19F5h], eax 0x00000024 push 00000003h 0x00000026 or ecx, dword ptr [ebp+122D28F1h] 0x0000002c push 70182E50h 0x00000031 push esi 0x00000032 jl 00007FABD07C1F58h 0x00000038 pushad 0x00000039 popad 0x0000003a pop esi 0x0000003b add dword ptr [esp], 4FE7D1B0h 0x00000042 mov dword ptr [ebp+122D1B9Fh], ecx 0x00000048 lea ebx, dword ptr [ebp+124588DBh] 0x0000004e jmp 00007FABD07C1F5Fh 0x00000053 xchg eax, ebx 0x00000054 push ebx 0x00000055 push edi 0x00000056 jmp 00007FABD07C1F5Ch 0x0000005b pop edi 0x0000005c pop ebx 0x0000005d push eax 0x0000005e push ecx 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6AC7 second address: 2F6ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6ACB second address: 2F6ACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6B49 second address: 2F6B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6B4F second address: 2F6BBA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a add ch, 00000018h 0x0000000d push 00000000h 0x0000000f mov edx, 365C016Eh 0x00000014 call 00007FABD07C1F59h 0x00000019 pushad 0x0000001a jng 00007FABD07C1F5Ch 0x00000020 jo 00007FABD07C1F56h 0x00000026 jmp 00007FABD07C1F5Ch 0x0000002b popad 0x0000002c push eax 0x0000002d jbe 00007FABD07C1F5Ah 0x00000033 push ecx 0x00000034 pushad 0x00000035 popad 0x00000036 pop ecx 0x00000037 mov eax, dword ptr [esp+04h] 0x0000003b push edx 0x0000003c jmp 00007FABD07C1F5Bh 0x00000041 pop edx 0x00000042 mov eax, dword ptr [eax] 0x00000044 pushad 0x00000045 pushad 0x00000046 pushad 0x00000047 popad 0x00000048 jnl 00007FABD07C1F56h 0x0000004e popad 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6BBA second address: 2F6BD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C435Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6BD3 second address: 2F6C54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FABD07C1F58h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 stc 0x00000025 push 00000003h 0x00000027 mov dword ptr [ebp+122D238Ch], edi 0x0000002d push 00000000h 0x0000002f mov edx, dword ptr [ebp+122D2A9Dh] 0x00000035 push 00000003h 0x00000037 movsx esi, cx 0x0000003a and edi, dword ptr [ebp+122D29BDh] 0x00000040 call 00007FABD07C1F59h 0x00000045 jns 00007FABD07C1F6Dh 0x0000004b push eax 0x0000004c push ebx 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6C54 second address: 2F6C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6C5A second address: 2F6C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FABD07C1F5Ch 0x0000000f mov eax, dword ptr [eax] 0x00000011 js 00007FABD07C1F6Bh 0x00000017 pushad 0x00000018 jmp 00007FABD07C1F61h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push edx 0x00000027 push eax 0x00000028 pop eax 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2F6D3C second address: 2F6DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 stc 0x00000009 clc 0x0000000a push 00000000h 0x0000000c sub dword ptr [ebp+122D357Ah], esi 0x00000012 add esi, 64009270h 0x00000018 push 725BB5E1h 0x0000001d jmp 00007FABD07C4360h 0x00000022 xor dword ptr [esp], 725BB561h 0x00000029 jmp 00007FABD07C435Bh 0x0000002e push 00000003h 0x00000030 push 00000000h 0x00000032 add ecx, 6973ED06h 0x00000038 push 00000003h 0x0000003a mov edx, 5E1E66A1h 0x0000003f push BC58D0A5h 0x00000044 jmp 00007FABD07C435Fh 0x00000049 xor dword ptr [esp], 7C58D0A5h 0x00000050 lea ebx, dword ptr [ebp+124588EFh] 0x00000056 mov dword ptr [ebp+122D1F5Ch], ebx 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FABD07C435Fh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 314D07 second address: 314D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 314FCC second address: 314FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 314FD2 second address: 314FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 314FD7 second address: 315003 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FABD07C4362h 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FABD07C4356h 0x00000010 jmp 00007FABD07C4360h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 315003 second address: 31500D instructions: 0x00000000 rdtsc 0x00000002 jns 00007FABD07C1F56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 31500D second address: 315035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FABD07C4368h 0x00000011 popad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 31558E second address: 31559E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FABD07C1F5Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 31559E second address: 3155CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C435Eh 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007FABD07C4366h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3155CA second address: 3155F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 jnc 00007FABD07C1F68h 0x0000000e jng 00007FABD07C1F5Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 315A2B second address: 315A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jno 00007FABD07C4356h 0x0000000d pushad 0x0000000e popad 0x0000000f ja 00007FABD07C4356h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007FABD07C4356h 0x0000001e jmp 00007FABD07C4366h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 315A5F second address: 315A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 315A63 second address: 315A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 315BBE second address: 315BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C1F64h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 30DD7D second address: 30DD8A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 30DD8A second address: 30DD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 30DD8F second address: 30DD94 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 30DD94 second address: 30DD9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2DF85E second address: 2DF863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 318400 second address: 318415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABD07C1F61h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 318415 second address: 318427 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FABD07C4356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 318427 second address: 31842E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 31842E second address: 318434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 318434 second address: 318438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 318CAD second address: 318CB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 318CB1 second address: 318CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2E7D74 second address: 2E7D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2E7D78 second address: 2E7D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2E7D80 second address: 2E7D8A instructions: 0x00000000 rdtsc 0x00000002 je 00007FABD07C435Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 31EE18 second address: 31EE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 31EE1C second address: 31EE22 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 323489 second address: 3234C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007FABD07C1F56h 0x00000009 ja 00007FABD07C1F56h 0x0000000f pop ecx 0x00000010 jmp 00007FABD07C1F67h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007FABD07C1F62h 0x0000001d jbe 00007FABD07C1F5Ch 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32278B second address: 3227EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C4366h 0x00000009 popad 0x0000000a jnc 00007FABD07C436Bh 0x00000010 jmp 00007FABD07C4365h 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FABD07C4368h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FABD07C435Ch 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3227EB second address: 3227EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3227EF second address: 3227F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3227F3 second address: 3227FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FABD07C1F56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3227FF second address: 322809 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FABD07C435Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32297D second address: 322994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FABD07C1F5Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32304F second address: 323053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 323053 second address: 323058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 323058 second address: 323068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C435Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 323068 second address: 323075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FABD07C1F56h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 326490 second address: 326496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32655E second address: 326564 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 326564 second address: 32659C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FABD07C4364h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FABD07C4369h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 326C93 second address: 326C99 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3271D1 second address: 3271D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 327244 second address: 327249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329278 second address: 32927C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32927C second address: 329282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329CC0 second address: 329CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jns 00007FABD07C436Ah 0x0000000b jmp 00007FABD07C4364h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329CE7 second address: 329CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329CEB second address: 329CEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3289DD second address: 3289F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F63h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329CEF second address: 329CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329CF5 second address: 329CFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329A39 second address: 329A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329A3D second address: 329A43 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329A43 second address: 329A49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329A49 second address: 329A62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jno 00007FABD07C1F56h 0x00000012 jnc 00007FABD07C1F56h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32A835 second address: 32A876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop esi 0x00000008 popad 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FABD07C4358h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 movzx esi, di 0x00000027 mov si, di 0x0000002a push 00000000h 0x0000002c add dword ptr [ebp+122D19E6h], ebx 0x00000032 push 00000000h 0x00000034 movsx esi, dx 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32A876 second address: 32A87B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32A59D second address: 32A5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32A5A1 second address: 32A5A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32A5A7 second address: 32A5CF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FABD07C436Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32B332 second address: 32B337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32A5CF second address: 32A5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32B10C second address: 32B119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FABD07C1F5Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32BE33 second address: 32BE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32BE3E second address: 32BE43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32BE43 second address: 32BEB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov dword ptr [ebp+122D17C3h], edi 0x00000011 mov dx, 9142h 0x00000015 popad 0x00000016 push 00000000h 0x00000018 sub si, 2778h 0x0000001d mov edi, 2481A2DCh 0x00000022 push 00000000h 0x00000024 mov edi, dword ptr [ebp+122D1BB3h] 0x0000002a xchg eax, ebx 0x0000002b pushad 0x0000002c jg 00007FABD07C4358h 0x00000032 push ecx 0x00000033 pop ecx 0x00000034 jmp 00007FABD07C435Fh 0x00000039 popad 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FABD07C4369h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32C870 second address: 32C891 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FABD07C1F65h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 330094 second address: 330099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 330099 second address: 3300B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABD07C1F66h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3300B3 second address: 33013E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C435Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FABD07C4358h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 jmp 00007FABD07C435Fh 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FABD07C4358h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b jmp 00007FABD07C4366h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 js 00007FABD07C4358h 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3322FB second address: 3322FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3332B2 second address: 3332E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FABD07C4356h 0x00000009 jmp 00007FABD07C4365h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 js 00007FABD07C435Ch 0x00000019 js 00007FABD07C4356h 0x0000001f push eax 0x00000020 push edx 0x00000021 push edi 0x00000022 pop edi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3332E5 second address: 3332E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3332E9 second address: 333363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007FABD07C4358h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 jmp 00007FABD07C435Ch 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebx 0x0000002c call 00007FABD07C4358h 0x00000031 pop ebx 0x00000032 mov dword ptr [esp+04h], ebx 0x00000036 add dword ptr [esp+04h], 00000017h 0x0000003e inc ebx 0x0000003f push ebx 0x00000040 ret 0x00000041 pop ebx 0x00000042 ret 0x00000043 push ebx 0x00000044 mov ebx, dword ptr [ebp+12467E8Bh] 0x0000004a pop edi 0x0000004b push esi 0x0000004c pop edi 0x0000004d push 00000000h 0x0000004f jne 00007FABD07C435Ch 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 pushad 0x00000058 pushad 0x00000059 popad 0x0000005a pushad 0x0000005b popad 0x0000005c popad 0x0000005d push eax 0x0000005e push edx 0x0000005f jo 00007FABD07C4356h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3302BD second address: 3302C7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FABD07C1F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 333363 second address: 333386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3302C7 second address: 3302CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 333386 second address: 33338A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3302CD second address: 3302D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33338A second address: 333390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3302D1 second address: 3302FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FABD07C1F6Eh 0x00000011 jmp 00007FABD07C1F68h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3302FA second address: 330300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 330300 second address: 330304 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 332404 second address: 33242A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C4360h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FABD07C4356h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33242A second address: 3324E0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FABD07C1F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FABD07C1F58h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2289h], ecx 0x0000002c mov bx, 9DD1h 0x00000030 push dword ptr fs:[00000000h] 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007FABD07C1F58h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 add edi, 4859BCBEh 0x00000057 mov dword ptr fs:[00000000h], esp 0x0000005e jnp 00007FABD07C1F5Eh 0x00000064 mov eax, dword ptr [ebp+122D1191h] 0x0000006a mov ebx, dword ptr [ebp+122D2A91h] 0x00000070 mov edi, dword ptr [ebp+122D1827h] 0x00000076 push FFFFFFFFh 0x00000078 movzx ebx, di 0x0000007b nop 0x0000007c pushad 0x0000007d jmp 00007FABD07C1F68h 0x00000082 push eax 0x00000083 push edx 0x00000084 pushad 0x00000085 popad 0x00000086 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3324E0 second address: 3324EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3324EE second address: 3324F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 337349 second address: 33734F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 331363 second address: 331367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 331449 second address: 33144D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3388E6 second address: 33895D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 jnc 00007FABD07C1F56h 0x0000000f pop edx 0x00000010 pop edx 0x00000011 nop 0x00000012 jmp 00007FABD07C1F63h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FABD07C1F58h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 mov di, bx 0x00000036 mov bh, 1Fh 0x00000038 push 00000000h 0x0000003a sub edi, 3AF4C4ECh 0x00000040 xchg eax, esi 0x00000041 jo 00007FABD07C1F5Ah 0x00000047 push esi 0x00000048 pushad 0x00000049 popad 0x0000004a pop esi 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FABD07C1F69h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 339A1D second address: 339A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 339A21 second address: 339A32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FABD07C1F56h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33A99D second address: 33A9A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3334DF second address: 3334E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33B9C3 second address: 33B9C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33D95B second address: 33D95F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33FA02 second address: 33FA1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4362h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33FA1F second address: 33FA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 341A9A second address: 341A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 341A9E second address: 341AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2DDE5C second address: 2DDE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jnp 00007FABD07C4356h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2DDE6B second address: 2DDE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33AB66 second address: 33AB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33AB6B second address: 33AB85 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FABD07C1F5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c je 00007FABD07C1F5Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3454BC second address: 3454C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 346856 second address: 346869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FABD07C1F56h 0x0000000d jc 00007FABD07C1F56h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 33CB61 second address: 33CB66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3523CC second address: 3523D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3523D2 second address: 352407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jo 00007FABD07C437Eh 0x0000000d jmp 00007FABD07C4363h 0x00000012 jmp 00007FABD07C4365h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 35271A second address: 352731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 ja 00007FABD07C1F62h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 35F2D5 second address: 35F2E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C435Ah 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 35E843 second address: 35E847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 35E847 second address: 35E84D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 35EC29 second address: 35EC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C1F64h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FABD07C1F56h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 35EFFB second address: 35F005 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FABD07C4356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 35F15C second address: 35F161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 35F161 second address: 35F18B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FABD07C435Dh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2ECE7A second address: 2ECE8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007FABD07C1F56h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36353E second address: 36355A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C435Eh 0x00000007 jnl 00007FABD07C4356h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3636DC second address: 3636E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3636E0 second address: 3636FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FABD07C4365h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3636FE second address: 36370C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363A0E second address: 363A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jne 00007FABD07C4356h 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 jmp 00007FABD07C4360h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363A33 second address: 363A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363CFC second address: 363D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FABD07C4356h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007FABD07C4362h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363D1C second address: 363D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363D25 second address: 363D4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FABD07C4360h 0x00000012 pushad 0x00000013 ja 00007FABD07C4356h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363D4B second address: 363D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363D57 second address: 363D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363EE5 second address: 363EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363EE9 second address: 363F08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4369h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363F08 second address: 363F0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363F0E second address: 363F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363F12 second address: 363F27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363F27 second address: 363F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363F2B second address: 363F54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FABD07C1F5Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 363F54 second address: 363F58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3641FF second address: 364205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 364487 second address: 36448B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36448B second address: 364491 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3645C9 second address: 3645E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C4367h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3645E9 second address: 3645ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 30E8F5 second address: 30E8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 30E8F9 second address: 30E8FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 30E8FF second address: 30E90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2E979F second address: 2E97A9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FABD07C1F62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 364A3B second address: 364A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3702EE second address: 370308 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABD07C1F64h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 370308 second address: 370321 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FABD07C4356h 0x00000008 jbe 00007FABD07C4356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jo 00007FABD07C4356h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 370321 second address: 370340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FABD07C1F56h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007FABD07C1F5Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36F1BC second address: 36F1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36F658 second address: 36F672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FABD07C1F64h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36F672 second address: 36F676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36FC13 second address: 36FC17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36FC17 second address: 36FC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36FC22 second address: 36FC28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36FC28 second address: 36FC2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36FC2F second address: 36FC35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 36FC35 second address: 36FC39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 370041 second address: 37005F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C1F64h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 37005F second address: 370067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 37618B second address: 376191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 374FCB second address: 374FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 374FCF second address: 374FD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 374FD3 second address: 374FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 374FD9 second address: 374FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3249EF second address: 3249F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3249F4 second address: 324D70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FABD07C1F5Dh 0x00000008 jmp 00007FABD07C1F5Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], ebx 0x00000013 movzx edx, cx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007FABD07C1F58h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 00000017h 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 or dword ptr [ebp+12458E8Bh], esi 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 xor ecx, dword ptr [ebp+122D2991h] 0x0000004a mov dword ptr [ebp+12486614h], esp 0x00000050 mov cl, dl 0x00000052 cmp dword ptr [ebp+122D292Dh], 00000000h 0x00000059 jne 00007FABD07C2086h 0x0000005f cmp dword ptr [ebp+122D2919h], 00000000h 0x00000066 jne 00007FABD07C2011h 0x0000006c cmp dword ptr [ebp+122D286Dh], 00000000h 0x00000073 jne 00007FABD07C203Bh 0x00000079 mov byte ptr [ebp+122D1B4Bh], 0000006Ch 0x00000080 mov edx, dword ptr [ebp+122D1B73h] 0x00000086 mov eax, DB057083h 0x0000008b mov edi, dword ptr [ebp+122D2A5Dh] 0x00000091 nop 0x00000092 pushad 0x00000093 pushad 0x00000094 pushad 0x00000095 popad 0x00000096 push eax 0x00000097 push edx 0x00000098 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 324D70 second address: 1718E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007FABD07C435Ch 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FABD07C4364h 0x00000013 jg 00007FABD07C4358h 0x00000019 popad 0x0000001a nop 0x0000001b mov edx, dword ptr [ebp+122D1875h] 0x00000021 push dword ptr [ebp+122D0B4Dh] 0x00000027 mov di, 3F11h 0x0000002b call dword ptr [ebp+122D1B6Eh] 0x00000031 pushad 0x00000032 jmp 00007FABD07C4366h 0x00000037 xor eax, eax 0x00000039 stc 0x0000003a mov edx, dword ptr [esp+28h] 0x0000003e jp 00007FABD07C4357h 0x00000044 mov dword ptr [ebp+122D2805h], eax 0x0000004a add dword ptr [ebp+122D1812h], esi 0x00000050 mov esi, 0000003Ch 0x00000055 cmc 0x00000056 add esi, dword ptr [esp+24h] 0x0000005a jl 00007FABD07C436Ch 0x00000060 jno 00007FABD07C4366h 0x00000066 jbe 00007FABD07C4362h 0x0000006c jnp 00007FABD07C435Ch 0x00000072 mov dword ptr [ebp+122D1812h], esi 0x00000078 lodsw 0x0000007a xor dword ptr [ebp+122D19E6h], edi 0x00000080 jmp 00007FABD07C4361h 0x00000085 add eax, dword ptr [esp+24h] 0x00000089 sub dword ptr [ebp+122D1812h], ebx 0x0000008f jmp 00007FABD07C4366h 0x00000094 mov ebx, dword ptr [esp+24h] 0x00000098 cld 0x00000099 push eax 0x0000009a push eax 0x0000009b push edx 0x0000009c push eax 0x0000009d push edx 0x0000009e jmp 00007FABD07C4369h 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 324F78 second address: 324F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 324F81 second address: 324F9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c pushad 0x0000000d jmp 00007FABD07C435Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 324F9C second address: 324FCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 jo 00007FABD07C1F62h 0x0000000e jmp 00007FABD07C1F5Ch 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FABD07C1F63h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 324FCF second address: 324FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 324FD5 second address: 32501E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FABD07C1F58h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 cmc 0x00000027 mov ecx, esi 0x00000029 push BD989BB8h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 push edi 0x00000033 pop edi 0x00000034 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32501E second address: 325024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 325124 second address: 325128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 325128 second address: 325132 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FABD07C4356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 325132 second address: 32514F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABD07C1F69h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32552B second address: 32552F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32552F second address: 325535 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3259D2 second address: 3259D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 325C41 second address: 325C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 325C4A second address: 325C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 325C4E second address: 30E8F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f lea eax, dword ptr [ebp+12486600h] 0x00000015 jmp 00007FABD07C1F5Ah 0x0000001a push eax 0x0000001b je 00007FABD07C1F69h 0x00000021 jmp 00007FABD07C1F63h 0x00000026 mov dword ptr [esp], eax 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FABD07C1F58h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 xor dword ptr [ebp+122D1B96h], ecx 0x00000049 lea eax, dword ptr [ebp+124865BCh] 0x0000004f mov dword ptr [ebp+122D1902h], edi 0x00000055 push eax 0x00000056 jmp 00007FABD07C1F5Dh 0x0000005b mov dword ptr [esp], eax 0x0000005e stc 0x0000005f call dword ptr [ebp+12458464h] 0x00000065 push eax 0x00000066 pushad 0x00000067 pushad 0x00000068 popad 0x00000069 jg 00007FABD07C1F56h 0x0000006f jmp 00007FABD07C1F62h 0x00000074 popad 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007FABD07C1F68h 0x0000007c push eax 0x0000007d push edx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3753DA second address: 3753DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3753DE second address: 3753EB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FABD07C1F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3753EB second address: 3753F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 375676 second address: 37567A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 37567A second address: 37567E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 37567E second address: 375684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 375684 second address: 37568F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 37568F second address: 375695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 375695 second address: 37569E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3757E7 second address: 3757EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3757EF second address: 37580A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FABD07C4356h 0x00000008 jmp 00007FABD07C4361h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 37580A second address: 375810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3759A1 second address: 3759BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push edi 0x00000008 jmp 00007FABD07C435Eh 0x0000000d je 00007FABD07C4356h 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3759BE second address: 3759C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 378513 second address: 378532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FABD07C4356h 0x0000000a jmp 00007FABD07C4363h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3780C4 second address: 3780CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 37B1CA second address: 37B1D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3829B6 second address: 3829BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38128F second address: 381293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 381293 second address: 381299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 381299 second address: 3812A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 js 00007FABD07C4356h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3812A8 second address: 3812AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3812AD second address: 3812BB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FABD07C4358h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 381444 second address: 381449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 381449 second address: 381453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FABD07C4356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3815D8 second address: 3815DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3815DC second address: 3815FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FABD07C4369h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3815FF second address: 381604 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 381948 second address: 38195D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C435Bh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 325698 second address: 3256FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FABD07C1F63h 0x00000011 nop 0x00000012 call 00007FABD07C1F5Dh 0x00000017 pop edx 0x00000018 mov ebx, dword ptr [ebp+124865FBh] 0x0000001e xor edx, dword ptr [ebp+122D2985h] 0x00000024 add eax, ebx 0x00000026 and dl, 00000062h 0x00000029 nop 0x0000002a push edi 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e jmp 00007FABD07C1F5Fh 0x00000033 popad 0x00000034 pop edi 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jne 00007FABD07C1F5Ch 0x0000003e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3256FC second address: 325737 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FABD07C4358h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov ecx, 3D096CA6h 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FABD07C4358h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e nop 0x0000002f push eax 0x00000030 push edx 0x00000031 jno 00007FABD07C4358h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 382654 second address: 38267E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C1F64h 0x00000009 pop ebx 0x0000000a jbe 00007FABD07C1F5Eh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38267E second address: 382684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3858B7 second address: 3858C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007FABD07C1F5Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3858C9 second address: 3858D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3858D1 second address: 3858D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 384F96 second address: 384FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FABD07C4366h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 384FB5 second address: 384FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FABD07C1F56h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 385127 second address: 38512B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38512B second address: 38512F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 385578 second address: 38558C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FABD07C435Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38558C second address: 385594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 385594 second address: 385598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 385598 second address: 3855A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3855A2 second address: 3855A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 388886 second address: 388891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 388891 second address: 3888C8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FABD07C4356h 0x00000008 jmp 00007FABD07C435Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007FABD07C4370h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 388BA8 second address: 388BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 388CE8 second address: 388CF0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38E94B second address: 38E95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FABD07C1F56h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38EDFF second address: 38EE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FABD07C4356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38EE09 second address: 38EE30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F5Bh 0x00000007 jmp 00007FABD07C1F60h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38EE30 second address: 38EE34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38EE34 second address: 38EE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38EE3A second address: 38EE40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38EE40 second address: 38EE44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38F12C second address: 38F136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FABD07C4356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38F3E9 second address: 38F420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C1F69h 0x00000009 jmp 00007FABD07C1F68h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38F9A9 second address: 38F9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38F9B1 second address: 38F9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38F9BB second address: 38F9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FABD07C435Eh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 38FC9C second address: 38FCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FABD07C1F5Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3952E9 second address: 3952EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394420 second address: 394426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394426 second address: 39442A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3946CD second address: 3946D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3946D1 second address: 3946DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FABD07C4356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3946DD second address: 3946F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FABD07C1F66h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394A11 second address: 394A40 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 js 00007FABD07C4356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FABD07C4358h 0x00000015 jc 00007FABD07C4368h 0x0000001b jmp 00007FABD07C4362h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394B49 second address: 394B67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FABD07C1F67h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394B67 second address: 394B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394B6D second address: 394B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FABD07C1F5Bh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FABD07C1F61h 0x00000013 jnc 00007FABD07C1F58h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394B9A second address: 394BA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394BA0 second address: 394BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394BA6 second address: 394BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394CF8 second address: 394D06 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FABD07C1F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394D06 second address: 394D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394D0A second address: 394D17 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394D17 second address: 394D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394D1D second address: 394D2C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FABD07C1F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 394D2C second address: 394D32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A2E9E second address: 3A2EA4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A2EA4 second address: 3A2EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A2EB0 second address: 3A2EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A2EB4 second address: 3A2ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 pushad 0x00000009 jmp 00007FABD07C4362h 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A1202 second address: 3A120D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A120D second address: 3A1241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C4362h 0x00000009 jl 00007FABD07C4356h 0x0000000f popad 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007FABD07C4361h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A1241 second address: 3A125C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C1F66h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A1B54 second address: 3A1B58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A1B58 second address: 3A1B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FABD07C1F58h 0x0000000c pushad 0x0000000d jmp 00007FABD07C1F61h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jnp 00007FABD07C1F56h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A1E73 second address: 3A1E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FABD07C4356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A1E7D second address: 3A1EAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F61h 0x00000007 jc 00007FABD07C1F56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 jc 00007FABD07C1F56h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jns 00007FABD07C1F56h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A1EAC second address: 3A1EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A1EB0 second address: 3A1EB6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A8631 second address: 3A863C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3A863C second address: 3A8648 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FABD07C1F56h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 2E2C35 second address: 2E2C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3BC407 second address: 3BC40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3BFF10 second address: 3BFF16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3BFF16 second address: 3BFF2E instructions: 0x00000000 rdtsc 0x00000002 je 00007FABD07C1F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FABD07C1F82h 0x00000010 push ecx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3BFF2E second address: 3BFF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C4687 second address: 3C4690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C4690 second address: 3C46A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C435Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C46A1 second address: 3C46B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FABD07C1F56h 0x0000000e jnl 00007FABD07C1F56h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C46B5 second address: 3C46C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C46C2 second address: 3C46CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FABD07C1F56h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C46CC second address: 3C46D6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FABD07C4356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C46D6 second address: 3C46F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jne 00007FABD07C1F56h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FABD07C1F5Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C31AA second address: 3C31B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3C31B0 second address: 3C31B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3CC349 second address: 3CC34E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3CC1ED second address: 3CC1F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3CC1F1 second address: 3CC20A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FABD07C4356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007FABD07C4356h 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3CE6F8 second address: 3CE705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3CE705 second address: 3CE70B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3CE70B second address: 3CE715 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FABD07C1F62h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3CE715 second address: 3CE71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3CE71B second address: 3CE727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007FABD07C1F56h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D0A78 second address: 3D0A8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4361h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D0A8D second address: 3D0A96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D5D66 second address: 3D5D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D5D6A second address: 3D5D6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D5EB0 second address: 3D5EB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D5EB4 second address: 3D5EBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D5EBD second address: 3D5EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FABD07C4366h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D63BE second address: 3D63C8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FABD07C1F56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D63C8 second address: 3D63D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D63D2 second address: 3D63D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D63D6 second address: 3D63E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D63E3 second address: 3D63E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D63E7 second address: 3D63EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D63EB second address: 3D63F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D63F9 second address: 3D6415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4368h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D6415 second address: 3D641A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D641A second address: 3D6426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FABD07C4356h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D6F03 second address: 3D6F09 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D6F09 second address: 3D6F0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3D6F0F second address: 3D6F59 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FABD07C1F69h 0x00000008 jmp 00007FABD07C1F62h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jmp 00007FABD07C1F66h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3DE4FA second address: 3DE504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3DE504 second address: 3DE509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3DE509 second address: 3DE520 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C435Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3DE520 second address: 3DE530 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FABD07C1F56h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3E0501 second address: 3E0519 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4360h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3E0519 second address: 3E051F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3E051F second address: 3E0523 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3E0051 second address: 3E0065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FABD07C1F56h 0x0000000a jne 00007FABD07C1F56h 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3E0065 second address: 3E006F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3E01FB second address: 3E021B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FABD07C1F67h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3F47D7 second address: 3F47DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3F47DB second address: 3F47E5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FABD07C1F56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3F5EA2 second address: 3F5EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3F90BA second address: 3F90D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C1F63h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3F90D7 second address: 3F90F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C4365h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3F90F1 second address: 3F90F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3FAA64 second address: 3FAA6A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3FABB2 second address: 3FABFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FABD07C1F62h 0x00000008 jmp 00007FABD07C1F64h 0x0000000d jmp 00007FABD07C1F69h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 3FABFD second address: 3FAC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 400C1B second address: 400C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 401042 second address: 401047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 401047 second address: 401084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F5Fh 0x00000007 jmp 00007FABD07C1F5Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 jmp 00007FABD07C1F63h 0x00000016 jno 00007FABD07C1F56h 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 401084 second address: 401089 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 401342 second address: 401348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 401348 second address: 401366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FABD07C4365h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 408947 second address: 408954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 jnc 00007FABD07C1F56h 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 40CCC4 second address: 40CCC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 40CCC8 second address: 40CD0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C1F60h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FABD07C1F66h 0x00000011 jmp 00007FABD07C1F61h 0x00000016 ja 00007FABD07C1F56h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 40CD0D second address: 40CD29 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FABD07C4364h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FABD07C435Ch 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 40CD29 second address: 40CD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 40EBF3 second address: 40EBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 40EBFC second address: 40EC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C1F64h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 404A12 second address: 404A2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FABD07C4366h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 405AD8 second address: 405AE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 32902B second address: 329042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FABD07C4362h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329042 second address: 329048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\random.exe	RDTSC instruction interceptor: First address: 329048 second address: 32904C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 17193E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 31825C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 324A58 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\random.exe	Special instruction interceptor: First address: 3AB5AD instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\random.exe	Memory allocated: 4B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Memory allocated: 4D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Memory allocated: 4B70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Window / User API: threadDelayed 2496			Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Window / User API: threadDelayed 7024			Jump to behavior

Source: C:\Users\user\Desktop\random.exe TID: 3540	Thread sleep time: -34017s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\random.exe TID: 7536	Thread sleep time: -35048813740048126s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\random.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\random.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: random.exe, random.exe, 00000005.00000002.1620446838.00000000002FB000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: tmp6FAD.tmp.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: tmp6FAD.tmp.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: tmp6FAD.tmp.5.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: tmp6FAD.tmp.5.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: tmp6FAD.tmp.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: tmp6FAD.tmp.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: random.exe, 00000005.00000002.1621275572.0000000000BE6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllm
Source: tmp6FAD.tmp.5.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: tmp6FAD.tmp.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: tmp6FAD.tmp.5.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: tmp6FAD.tmp.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: tmp6FAD.tmp.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: random.exe, 00000005.00000002.1620446838.00000000002FB000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: tmp6FAD.tmp.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: tmp6FAD.tmp.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: tmp6FAD.tmp.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\random.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\random.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\random.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\random.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\random.exe	File opened: NTICE
Source: C:\Users\user\Desktop\random.exe	File opened: SICE
Source: C:\Users\user\Desktop\random.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\random.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\random.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random.exe PID: 2724, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\random.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random.exe PID: 2724, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 5.2.random.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: random.exe PID: 2724, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	851 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	471 Virtualization/Sandbox Evasion	Security Account Manager	471 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	314 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
random.exe	50%	ReversingLabs	Win32.Trojan.Amadey
random.exe	100%	Avira	TR/Crypt.TPM.Gen
random.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://103.84.89.222:33791t-	0%	Avira URL Cloud	safe
http://103.84.89.222:3	0%	Avira URL Cloud	safe
http://103.84.89.222:33791/	0%	Avira URL Cloud	safe
http://103.84.89.222:33791	0%	Avira URL Cloud	safe
103.84.89.222:33791	0%	Avira URL Cloud	safe
https://api.ipify.orgcookies//setti	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb.cdn.cloudflare.net	172.67.75.172	true	false		high
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://103.84.89.222:33791/	true	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip	false		high
103.84.89.222:33791	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	random.exe, random.exe, 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, random.exe, 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	false		high
https://duckduckgo.com/chrome_newtab	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
https://duckduckgo.com/ac/?q=	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	random.exe, random.exe, 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, random.exe, 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	false		high
https://api.ip.sb	random.exe, 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	random.exe, 00000005.00000002.1624839015.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://103.84.89.222:33791	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
http://103.84.89.222:33791t-	random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	random.exe, 00000005.00000002.1624839015.0000000004DD2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnect	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
http://103.84.89.222:3	random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnviron	random.exe, 00000005.00000002.1624839015.0000000004FC7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	random.exe, 00000005.00000002.1624839015.0000000004DF1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://purl.oen	random.exe, 00000005.00000003.1620184621.0000000008917000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000005.00000003.1502569246.0000000008916000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000005.00000003.1502531833.0000000008902000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000005.00000003.1620152408.0000000008917000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000005.00000003.1620056862.0000000008917000.00000004.00000020.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	random.exe, 00000005.00000002.1624839015.0000000004EEA000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE	random.exe	false		high
https://api.ipify.orgcookies//settinString.Removeg	random.exe, random.exe, 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, random.exe, 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//setti	random.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	random.exe, 00000005.00000002.1626601894.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000005.00000003.1525136307.0000000006075000.00000004.00000800.00020000.00000000.sdmp, tmpEBE6.tmp.5.dr, tmpEBD5.tmp.5.dr, tmp184C.tmp.5.dr, tmpEBB4.tmp.5.dr, tmpEBE7.tmp.5.dr, tmpEBA3.tmp.5.dr, tmp182A.tmp.5.dr, tmp1819.tmp.5.dr, tmp1809.tmp.5.dr, tmp184B.tmp.5.dr, tmpEBC4.tmp.5.dr, tmp183A.tmp.5.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	random.exe, 00000005.00000002.1624839015.0000000004D61000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.75.172	api.ip.sb.cdn.cloudflare.net	United States		13335	CLOUDFLARENETUS	false
103.84.89.222	unknown	Hong Kong		132813	AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1604024
Start date and time:	2025-01-31 19:01:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	random.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/117@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
VT rate limit hit for: random.exe

Simulations

Behavior and APIs

Time	Type	Description
14:35:06	API Interceptor	96x Sleep call for process: random.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.75.172	lzUfwE2sh3.exe	Get hash	malicious	RedLine	Browse
	xI0ubnUcsV.exe	Get hash	malicious	RedLine	Browse
	VXB84UvyHp.exe	Get hash	malicious	RedLine	Browse
	http://www.fcc-movil.com/80th/enphem1sX2F0dG9ybmV5YXpAZmQub3Jn	Get hash	malicious	Phisher	Browse
	https://bityl.co/Rdhj#MmpKcFFEVVI2TVllaWsyVHoxbTVjNVQ2OFJkV0I2UW53emdGdFlabWtLYlFDd3ZmMjIydmh0VVc3SEJnZUNkeG11THhoRWM4cS95OXhmejFJQXRJWlE9PQ__	Get hash	malicious	Phisher	Browse
	https://www.popisoft.com	Get hash	malicious	Unknown	Browse
	3oYqGm39Lk.exe	Get hash	malicious	Amadey, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader	Browse
	3KuXQ4yrkM.exe	Get hash	malicious	Glupteba, Mystic Stealer, RedLine, SmokeLoader, zgRAT	Browse
	l5GCQ2fOuD.exe	Get hash	malicious	Djvu, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, Tofsee	Browse
	70141CDE965558529B1ADC82862D402149F21443F12F0.exe	Get hash	malicious	Amadey, Glupteba, Mystic Stealer, RedLine, SmokeLoader	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ip.sb.cdn.cloudflare.net	Qc2kkWDRFs.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	lzUfwE2sh3.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	xI0ubnUcsV.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	I5D7Y9o1R1.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, RedLine	Browse	104.26.12.31
	qJ64p5G1XJ.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	VXB84UvyHp.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	chTJmCR9bS.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.26.12.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	156.253.8.115
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	156.253.8.115
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	156.253.8.115
	Payment Advice - Advice RefA2dGOv46MCnu -USD Priority payment.exe	Get hash	malicious	FormBook	Browse	156.253.8.115
	wavjjT3sEq.exe	Get hash	malicious	FormBook	Browse	156.226.22.233
	Order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	156.226.22.233
	8mmZ7Bkoj1.exe	Get hash	malicious	FormBook	Browse	156.226.22.233
	notificacion_de_credito__PDF__.exe	Get hash	malicious	FormBook	Browse	156.226.22.233
	RECIEPT.PDF.exe	Get hash	malicious	FormBook	Browse	156.226.22.233
	INV & BANK DETAILS LETTER.pdf.exe	Get hash	malicious	FormBook	Browse	156.226.22.233
CLOUDFLARENETUS	random.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.139.144
	random.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.149.66
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.18.116
	DJMvyf95wu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.149.66
	random.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.149.66
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.29.142
	random.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer	Browse	172.67.149.66
	random.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.149.66
	zaTD5cdNaK.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.29.142
	https://jidooscn.sbs/	Get hash	malicious	HTMLPhisher	Browse	104.21.112.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	zam#U00f3wienia 31012025DJ ZK 25010325_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.75.172
	Faktura VAT-FV2025011500091_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.75.172
	weseethebestthingsevermadewithbestwithnewthingsgoodforme.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger, VIP Keylogger	Browse	172.67.75.172
	nmssb.hta	Get hash	malicious	Cobalt Strike, MassLogger RAT	Browse	172.67.75.172
	oMzryrtgQh.exe	Get hash	malicious	Nanocore, AgentTesla	Browse	172.67.75.172
	PO#5831205.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.75.172
	Remittance Advice2000255566644.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.75.172
	New Order 12960 Inquiry.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.75.172
	PAYMENT ADVICE.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.75.172
	fiyati_teklif 615TBI507_ SIVASBUY san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	VIP Keylogger	Browse	172.67.75.172

Process:	C:\Users\user\Desktop\random.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	5.345804351520589
Encrypted:	false
SSDEEP:	48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHpHt1qHxLHjH4:vq5qxqdqolqztYqh3oPtI6mq7qoT5JNV
MD5:	90757169D333CB9247B01FB0CAF14023
SHA1:	C47A0AA0CBC960527EA4FA7F61AC1D08B56C23A5
SHA-256:	C04472992BF7CF58327D947D334F1105C14C5CF0D2DD0DF7E7873CAADE0EC61D
SHA-512:	A49B90272EC353DE49C508AF75C509D14A18EA50ABD1CD49BF5313A708CB9654A543E3340C74978B5756A66EF291132E93931853CAD7CC8C85450BB64A318031
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.936160621445922
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	random.exe
File size:	1'805'824 bytes
MD5:	f662cb18e04cc62863751b672570bd7d
SHA1:	1630d460c4ca5061d1d10ecdfd9a3c7d85b30896
SHA256:	1e9ff1fc659f304a408cff60895ef815d0a9d669a3d462e0046f55c8c6feafc2
SHA512:	ce51435c8fb272e40c323f03e8bb6dfa92d89c97bf1e26dc960b7cab6642c2e4bc4804660d0adac61e3b77c46bca056f6d53bedabcbeb3be5b6151bf61cee8f4
SSDEEP:	24576:+ShI0oE/JeMqdgRvsVsV3/AvUeCgzXw2UT+9E8tftrvOHcLQgrICC1UVAmWy/IWA:+STZJPqyhWzXRU6l3rIDUmGhgscIa
TLSH:	638533D604D7F151CC2305B895A1DE25BFFCB06E32BEFA113964A46970DFAC434AAA31
File Content Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t...........@G.. ........@.. ........................G.....S.....@................................

Entrypoint:	0x874000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1c055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x54c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1c1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x2000	0x18000	0xa400	e29251c7ff1cd01d7d24fce054d50bf2	False	0.9962366615853658	data	7.966652808119376	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a000	0x54c	0x400	a6003432dc3d3823bebfea443122edd8	False	0.6884765625	data	5.657176337655111	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x1c000	0x2000	0x200	5e5d7a8f233e5af15ced360b13b654ae	False	0.150390625	data	1.011987224820715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x1e000	0x2aa000	0x200	171c8f516cb66700663dd739174543e0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
efrqcofg	0x2c8000	0x1aa000	0x1a9c00	20f1e20fe507edd4ae137681ad077768	False	0.9946268992219612	OpenPGP Secret Key	7.9532683612246755	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
yqrfybbc	0x472000	0x2000	0x400	8d2d156d742ed32b911cac25c5065dc9	False	0.8203125	data	6.3697627016533005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x474000	0x4000	0x2200	e1306353a24c3b60a2b3cf4d7b613e4d	False	0.06284466911764706	DOS executable (COM)	0.7922669188893766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x4716a4	0x254	data			0.4597315436241611
RT_MANIFEST	0x4718f8	0x256	ASCII text, with CRLF line terminators			0.5100334448160535

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 31, 2025 19:03:10.195390940 CET	54980	53	192.168.2.7	1.1.1.1
Jan 31, 2025 19:03:10.202481031 CET	53	54980	1.1.1.1	192.168.2.7
Jan 31, 2025 19:03:11.006838083 CET	53	58941	1.1.1.1	192.168.2.7

Timestamp	Bytes transferred	Direction	Data
Jan 31, 2025 19:03:02.404978037 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 103.84.89.222:33791 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 31, 2025 19:03:03.221281052 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 31 Jan 2025 18:03:03 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Jan 31, 2025 19:03:09.395656109 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 103.84.89.222:33791 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 31, 2025 19:03:09.725229025 CET	25	IN	HTTP/1.1 100 Continue
Jan 31, 2025 19:03:09.983180046 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 5045 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 31 Jan 2025 18:03:09 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Timestamp	Bytes transferred	Direction	Data
Jan 31, 2025 19:03:16.973776102 CET	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 103.84.89.222:33791 Content-Length: 1089013 Expect: 100-continue Accept-Encoding: gzip, deflate
Jan 31, 2025 19:03:21.161967993 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 31 Jan 2025 18:03:21 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Timestamp	Bytes transferred	Direction	Data
Jan 31, 2025 19:03:21.169868946 CET	242	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 103.84.89.222:33791 Content-Length: 1089005 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Jan 31, 2025 19:03:25.338067055 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 31 Jan 2025 18:03:25 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Timestamp	Bytes transferred	Direction	Data
2025-01-31 18:03:10 UTC	64	OUT	GET /geoip HTTP/1.1 Host: api.ip.sb Connection: Keep-Alive
2025-01-31 18:03:11 UTC	937	IN	HTTP/1.1 200 OK Date: Fri, 31 Jan 2025 18:03:11 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding Cache-Control: no-cache access-control-allow-origin: * cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Spe7ywWl1PUOVWFURBtYeMZ9lXxyV67cCDntCJPWa3f7222cnu1i1%2B5H4MoRcxqHtdhdXIUtjjQ6n3oyoHAx0mideouuiZLVHCfmp2NF6dySYoChoLDxf5XeAw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 90ab9df11d5b6a50-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1633&min_rtt=1626&rtt_var=624&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2805&recv_bytes=678&delivery_rate=1731909&cwnd=234&unsent_bytes=0&cid=f3b45fe818a49d14&ts=511&x=0"
2025-01-31 18:03:11 UTC	351	IN	Data Raw: 31 35 38 0d 0a 7b 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 37 34 2e 30 30 36 36 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 22 2c 22 6f 66 66 73 65 74 22 3a 2d 31 38 30 30 30 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 61 73 6e 5f 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 6c 61 74 69 74 75 64 65 Data Ascii: 158{"organization":"CenturyLink","longitude":-74.0066,"city":"New York","timezone":"America\/New_York","isp":"CenturyLink","offset":-18000,"region":"New York","asn":3356,"asn_organization":"LEVEL3","country":"United States","ip":"8.46.123.189","latitude
2025-01-31 18:03:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	5
Start time:	13:02:50
Start date:	31/01/2025
Path:	C:\Users\user\Desktop\random.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\random.exe"
Imagebase:	0x150000
File size:	1'805'824 bytes
MD5 hash:	F662CB18E04CC62863751B672570BD7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000005.00000003.1304501021.0000000004930000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1624839015.0000000004DB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000005.00000002.1620377710.0000000000152000.00000040.00000001.01000000.00000004.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report random.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\random.exe.log

C:\Users\user\AppData\Local\Temp\tmp1809.tmp

C:\Users\user\AppData\Local\Temp\tmp1819.tmp

C:\Users\user\AppData\Local\Temp\tmp182A.tmp

C:\Users\user\AppData\Local\Temp\tmp183A.tmp

C:\Users\user\AppData\Local\Temp\tmp184B.tmp

C:\Users\user\AppData\Local\Temp\tmp184C.tmp

C:\Users\user\AppData\Local\Temp\tmp3D7F.tmp

C:\Users\user\AppData\Local\Temp\tmp4401.tmp

C:\Users\user\AppData\Local\Temp\tmp4411.tmp

C:\Users\user\AppData\Local\Temp\tmp4412.tmp

C:\Users\user\AppData\Local\Temp\tmp4423.tmp

C:\Users\user\AppData\Local\Temp\tmp4424.tmp

C:\Users\user\AppData\Local\Temp\tmp4434.tmp

C:\Users\user\AppData\Local\Temp\tmp4445.tmp

Windows Analysis Report
random.exe