Windows Analysis Report
SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll

Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	ReversingLabs: Detection: 57%
Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	Virustotal: Detection: 62%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_Parse
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_ParseTuple
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_ParseTupleAndKeywords
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6364 -s 748
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_Parse
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_ParseTuple
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_ParseTupleAndKeywords
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_Parse	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_ParseTuple	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_ParseTupleAndKeywords	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_Parse	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_ParseTuple	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_ParseTupleAndKeywords	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D7C.tmp

Creates an autostart registry key pointing to binary in C:\Windows

Source: classification engine

Classification label: mal88.evad.winDLL@27/7@1/3

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\rundll32.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_Parse

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6364
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_01

Source: rundll32.exe	String found in binary or memory: jp-ocr-b-add
Source: rundll32.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: rundll32.exe	String found in binary or memory: jp-ocr-hand-add
Source: rundll32.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: rundll32.exe	String found in binary or memory: ISO_6937-2-add
Source: rundll32.exe	String found in binary or memory: NATS-SEFI-ADD
Source: rundll32.exe	String found in binary or memory: NATS-DANO-ADD

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll

Static file information: File size 7131136 > 1048576

Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x502e00
Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	Static PE information: Raw size of .sedata is bigger than: 0x100000 < 0x1c7e00

Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: iphlpapi.pdbUGP source: loaddll32.exe, 00000000.00000002.647197608.000000000283A000.00000040.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.546105070.0000000000CF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.526173512.0000000002D1C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1009109975.0000000004A2A000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695575249.0000000004C58000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdb source: loaddll32.exe, 00000000.00000002.647099501.0000000000F24000.00000040.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.535262532.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1008473183.00000000046FF000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695223560.00000000049CA000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.628693706.0000000004A68000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: iphlpapi.pdb source: loaddll32.exe, 00000000.00000002.647197608.000000000283A000.00000040.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.546105070.0000000000CF3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.526173512.0000000002D1C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1009109975.0000000004A2A000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695575249.0000000004C58000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: loaddll32.exe, 00000000.00000002.647197608.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1009109975.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695575249.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.828889556.0000000004620000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdb source: loaddll32.exe, 00000000.00000002.647753651.0000000002EC7000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1009274858.0000000004BB1000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695693538.0000000004DDF000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.832575325.0000000005356000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.526354577.0000000002995000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.647314302.0000000002B35000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1008725355.0000000004826000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.495607190.000000000468B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695323350.0000000004A48000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.628847023.0000000004B8D000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.526354577.0000000002995000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.647314302.0000000002B35000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1008725355.0000000004826000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.495607190.000000000468B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695323350.0000000004A48000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.628847023.0000000004B8D000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdb source: loaddll32.exe, 00000000.00000003.538203445.0000000002998000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.647510965.0000000002CD1000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1010130762.0000000004DAA000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695939637.0000000004FDC000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.650243080.0000000005109000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernelbase.pdbUGP source: loaddll32.exe, 00000000.00000002.647753651.0000000002EC7000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1009274858.0000000004BB1000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695693538.0000000004DDF000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.832575325.0000000005356000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: loaddll32.exe, 00000000.00000002.647197608.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1009109975.00000000049C0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695575249.0000000004BE0000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.828889556.0000000004620000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wkernel32.pdbGCTL source: loaddll32.exe, 00000000.00000002.647099501.0000000000F24000.00000040.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.535262532.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1008473183.00000000046FF000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695223560.00000000049CA000.00000040.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.628693706.0000000004A68000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: wuser32.pdbUGP source: loaddll32.exe, 00000000.00000003.538203445.0000000002998000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.647510965.0000000002CD1000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1010130762.0000000004DAA000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.695939637.0000000004FDC000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.650243080.0000000005109000.00000040.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F14A4B push ecx; ret	0_2_00F14A5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ABA1DA4 push ecx; mov dword ptr [esp], edx	3_2_6ABA1DA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CD8CCE0 push edx; mov dword ptr [esp], eax	3_2_6CD8CCB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6AB8D218 push ecx; mov dword ptr [esp], edx	3_2_6AB8D21A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ACA826C push ecx; mov dword ptr [esp], eax	3_2_6ACA826F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6AB643F8 push ecx; mov dword ptr [esp], edx	3_2_6AB643F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6AB79304 push ecx; mov dword ptr [esp], ecx	3_2_6AB79307
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEA6C8 push edx; ret	3_2_6CCEC0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEA6C8 push dword ptr [esp]; retn 0004h	3_2_6CCEC12C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEA6E7 push edx; ret	3_2_6CCEC0E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCE86F3 push dword ptr [esp+04h]; retn 0008h	3_2_6CCE9FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEA6A1 push edx; ret	3_2_6CCEB7C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEA676 push edx; ret	3_2_6CCEB7C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEB61D push dword ptr [esp]; retn 0004h	3_2_6CCEB66A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6AC38018 push ecx; mov dword ptr [esp], edx	3_2_6AC38019
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CDD0FD4 push ebp; mov dword ptr [esp], ebp	3_2_6CDD113F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CDCCF9C push dword ptr [esp+02h]; mov dword ptr [esp], edx	3_2_6CDCCFA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6AB5C9DC push ecx; mov dword ptr [esp], edx	3_2_6AB5C9DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCE8709 push ebp; mov dword ptr [esp], edx	3_2_6CCE870D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCE8709 push dword ptr [esp+04h]; retn 0008h	3_2_6CCE9FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CDD10DD push ebp; mov dword ptr [esp], ebp	3_2_6CDD113F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CDB28C1 push bp; mov dword ptr [esp], edi	3_2_6CDB2BD8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CDD10C1 push ebp; mov dword ptr [esp], ebp	3_2_6CDD113F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6AC33E98 push ecx; mov dword ptr [esp], ecx	3_2_6AC33E9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEE892 push ecx; mov dword ptr [esp], eax	3_2_6CCEE89B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEC04C push dword ptr [esp]; retn 0004h	3_2_6CCEC12C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CDC7859 pushfd ; mov dword ptr [esp], ecx	3_2_6CDC7901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6AC32E60 push ecx; mov dword ptr [esp], ecx	3_2_6AC32E65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CDC8076 push 8A240C8Ah; iretd	3_2_6CDC8096
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CCEE87C push ecx; mov dword ptr [esp], eax	3_2_6CCEE89B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6CDC8060 push 8A240C8Ah; iretd	3_2_6CDC8096

Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	Static PE information: section name: .sedata
Source: SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	Static PE information: section name: .sedata

Source: initial sample

Static PE information: section where entry point is pointing to: .sedata

Source: initial sample

Static PE information: section name: .sedata entropy: 7.114902610616691

Boot Survival

Source: C:\Windows\SysWOW64\rundll32.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Windows\System32\loaddll32.exe

Special instruction interceptor: First address: 000000006CCF2D4C instructions caused by: Self-modifying code

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCEEAC9 second address: 000000006CCEEEF8 instructions: 0x00000000 rdtsc 0x00000002 mov dl, F2h 0x00000004 bswap ecx 0x00000006 call 00007FE5150D13DAh 0x0000000b jmp 00007FE5150D142Bh 0x0000000d lea ebx, dword ptr [ebx+55h] 0x00000010 lea ecx, dword ptr [00000000h+ebx*4] 0x00000017 bsr bp, cx 0x0000001b rcl ecx, 19h 0x0000001e xchg dword ptr [esp+04h], ebx 0x00000022 jmp 00007FE5150D185Bh 0x00000027 mov al, F1h 0x00000029 rcl bx, 1 0x0000002c inc bx 0x0000002e sub esp, 1Eh 0x00000031 ror ax, 0002h 0x00000035 lea esp, dword ptr [esp+02h] 0x00000039 jmp 00007FE5150D13C0h 0x0000003b push dword ptr [esp+20h] 0x0000003f retn 0024h 0x00000042 lea edi, dword ptr [esp+0Ch] 0x00000046 mov dl, byte ptr [esp] 0x00000049 jmp 00007FE5150D186Ah 0x0000004e sub esp, 000000B4h 0x00000054 mov ebp, esp 0x00000056 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB709 second address: 000000006CCFB85B instructions: 0x00000000 rdtsc 0x00000002 mov ah, byte ptr [esp] 0x00000005 jmp 00007FE5151CE62Dh 0x00000007 mov dh, byte ptr [esp] 0x0000000a jmp 00007FE5151CE640h 0x0000000c mov ecx, edi 0x0000000e mov esi, dword ptr [ecx] 0x00000010 bsf ecx, ecx 0x00000013 jnp 00007FE5151CE5F3h 0x00000015 jmp 00007FE5151CE6A5h 0x0000001a mov al, 96h 0x0000001c xchg edx, ecx 0x0000001e add edi, 04h 0x00000021 jmp 00007FE5151CE5C9h 0x00000023 btc edx, esi 0x00000026 je 00007FE5151CE5F7h 0x00000028 bsr eax, edi 0x0000002b setnl dh 0x0000002e jmp 00007FE5151CE62Ch 0x00000030 push ebp 0x00000031 lea ecx, dword ptr [ecx+esi] 0x00000034 call 00007FE5151CE5F2h 0x00000039 mov ch, byte ptr [esp] 0x0000003c push esi 0x0000003d jmp 00007FE5151CE692h 0x00000042 and ebp, esi 0x00000044 jns 00007FE5151CE5DEh 0x00000046 mov cx, word ptr [esp] 0x0000004a mov cl, byte ptr [esp] 0x0000004d jmp 00007FE5151CE5EFh 0x0000004f dec ax 0x00000051 push edi 0x00000052 mov dx, 9280h 0x00000056 mov dx, B8F4h 0x0000005a jmp 00007FE5151CE628h 0x0000005c mov bp, word ptr [esp] 0x00000060 sbb ax, bp 0x00000063 jmp 00007FE5151CE659h 0x00000065 jnc 00007FE5151CE5CDh 0x00000067 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB85B second address: 000000006CCFB903 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [eax+ebx] 0x00000005 jmp 00007FE5150D13DFh 0x00000007 cmp eax, 9DA45E12h 0x0000000c push si 0x0000000e lea esp, dword ptr [esp+02h] 0x00000012 jmp 00007FE5150D142Eh 0x00000014 pop esi 0x00000015 mov al, dl 0x00000017 mov al, dl 0x00000019 clc 0x0000001a jnp 00007FE5150D13E4h 0x0000001c jp 00007FE5150D1476h 0x0000001e pop ebp 0x0000001f mov ch, 2Fh 0x00000021 mov ax, BE00h 0x00000025 or eax, ebx 0x00000027 jnle 00007FE5150D13C1h 0x00000029 jle 00007FE5150D13A9h 0x0000002b add esp, 04h 0x0000002e jnbe 00007FE5150D142Bh 0x00000030 pushfd 0x00000031 mov cx, word ptr [esp+02h] 0x00000036 jmp 00007FE5150D13E4h 0x00000038 lea edi, dword ptr [ecx+ebx] 0x0000003b mov edi, dword ptr [esp+04h] 0x0000003f mov edx, 6C4C3A78h 0x00000044 push dx 0x00000046 jmp 00007FE5150D1410h 0x00000048 lea esp, dword ptr [esp+02h] 0x0000004c lea esp, dword ptr [esp+08h] 0x00000050 call 00007FE5150D1431h 0x00000055 mov ax, dx 0x00000058 mov cl, B9h 0x0000005a bt dx, bx 0x0000005e xchg dword ptr [esp], ecx 0x00000061 jmp 00007FE5150D13DEh 0x00000063 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB903 second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 sub edx, eax 0x00000004 mov ax, bx 0x00000007 add dx, dx 0x0000000a mov ah, E4h 0x0000000c jmp 00007FE5151CE628h 0x0000000e lea ecx, dword ptr [ecx-0000ED1Ch] 0x00000014 mov dx, AE09h 0x00000018 mov eax, dword ptr [esp] 0x0000001b btc ax, si 0x0000001f call 00007FE5151CE8CDh 0x00000024 xchg dword ptr [esp+04h], ecx 0x00000028 mov ch, byte ptr [esp] 0x0000002b jmp 00007FE5151CE443h 0x00000030 sub esp, 16h 0x00000033 mov ax, word ptr [esp+07h] 0x00000038 mov ecx, dword ptr [esp+12h] 0x0000003c add esp, 07h 0x0000003f lea esp, dword ptr [esp+03h] 0x00000043 push dword ptr [esp+10h] 0x00000047 retn 0014h 0x0000004a mov ebx, ebp 0x0000004c lea eax, dword ptr [esp+ecx] 0x0000004f setle ah 0x00000052 sets dl 0x00000055 call 00007FE5151CE5EFh 0x0000005a xchg cl, ch 0x0000005c pushad 0x0000005d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECBBE second address: 000000006CCECBE2 instructions: 0x00000000 rdtsc 0x00000002 mov al, bh 0x00000004 xchg dword ptr [esp+20h], esi 0x00000008 jmp 00007FE5150D141Ch 0x0000000a rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECBE2 second address: 000000006CCECCAF instructions: 0x00000000 rdtsc 0x00000002 xchg ecx, edx 0x00000004 mov ax, word ptr [esp] 0x00000008 mov edx, B68AAC39h 0x0000000d lea esi, dword ptr [esi-00000052h] 0x00000013 xchg eax, edx 0x00000014 jmp 00007FE5151CE633h 0x00000016 mov edx, ecx 0x00000018 lea eax, dword ptr [00000000h+edi*4] 0x0000001f mov dx, 208Bh 0x00000023 xchg dword ptr [esp+20h], esi 0x00000027 mov cl, ch 0x00000029 xchg dx, ax 0x0000002c jmp 00007FE5151CE5E3h 0x0000002e xchg dx, ax 0x00000031 mov ecx, dword ptr [esp] 0x00000034 push dword ptr [esp+20h] 0x00000038 retn 0024h 0x0000003b mov eax, 12F33EA2h 0x00000040 xor cl, 00000044h 0x00000043 jnl 00007FE5151CE6F0h 0x00000049 pushfd 0x0000004a mov dx, cx 0x0000004d mov dh, 56h 0x0000004f lea eax, dword ptr [ebx-03h] 0x00000052 lea ecx, dword ptr [ecx-0F5291AAh] 0x00000058 lea esp, dword ptr [esp+04h] 0x0000005c sub ebp, 1284C013h 0x00000062 call 00007FE5151CE62Ch 0x00000067 mov ecx, dword ptr [esp] 0x0000006a rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECCAF second address: 000000006CCECC9D instructions: 0x00000000 rdtsc 0x00000002 neg al 0x00000004 neg al 0x00000006 push sp 0x00000008 jmp 00007FE5150D13DFh 0x0000000a lea esp, dword ptr [esp+02h] 0x0000000e xchg dword ptr [esp], ebx 0x00000011 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECC9D second address: 000000006CCECCC5 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 93656786h 0x00000007 jmp 00007FE5151CE625h 0x00000009 mov edx, dword ptr [esp] 0x0000000c lea ebx, dword ptr [ebx-00000034h] 0x00000012 shr eax, 0Ch 0x00000015 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECE39 second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D13BFh 0x00000004 xor ebp, 2D4823BBh 0x0000000a mov ah, byte ptr [esp] 0x0000000d clc 0x0000000e je 00007FE5150D13E0h 0x00000010 jne 00007FE5150D140Ah 0x00000012 mov eax, 09013DC9h 0x00000017 sub esp, 19h 0x0000001a lea esp, dword ptr [esp+01h] 0x0000001e jmp 00007FE5150D1486h 0x00000023 add ebp, dword ptr [esi] 0x00000025 lea eax, dword ptr [00000000h+edx*4] 0x0000002c xchg ch, cl 0x0000002e jmp 00007FE5150D13ADh 0x00000030 movzx ecx, byte ptr [ebp+00h] 0x00000034 jmp 00007FE5150D13DFh 0x00000036 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECE3D second address: 000000006CCECEB5 instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 jnbe 00007FE5151CE646h 0x00000005 not ax 0x00000008 call 00007FE5151CE5F7h 0x0000000d mov ax, di 0x00000010 jmp 00007FE5151CE62Bh 0x00000012 mov edx, dword ptr [esp] 0x00000015 add esp, 02h 0x00000018 jmp 00007FE5151CE66Dh 0x0000001a jnle 00007FE5151CE5B9h 0x0000001c mov dl, dh 0x0000001e mov dh, byte ptr [esp+01h] 0x00000022 call 00007FE5151CE649h 0x00000027 lea esp, dword ptr [esp+02h] 0x0000002b jmp 00007FE5151CE5F6h 0x0000002d add cl, bl 0x0000002f rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCED042 second address: 000000006CCED0C7 instructions: 0x00000000 rdtsc 0x00000002 btr eax, ebp 0x00000005 jnp 00007FE5150D1449h 0x00000007 mov dx, word ptr [esp] 0x0000000b jmp 00007FE5150D1432h 0x0000000d inc ebp 0x0000000e rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCEDC6E second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 and cx, si 0x00000005 jnc 00007FE5151CE63Eh 0x00000007 jmp 00007FE5151CE5FAh 0x00000009 mov dx, word ptr [esp] 0x0000000d jmp 00007FE5151CE638h 0x0000000f sub esp, 02h 0x00000012 jne 00007FE5151CE651h 0x00000014 lea eax, dword ptr [esp+edi] 0x00000017 lea esp, dword ptr [esp+02h] 0x0000001b jmp 00007FE5151CE644h 0x0000001d lea eax, dword ptr [edi+50h] 0x00000020 xchg dx, cx 0x00000023 stc 0x00000024 jc 00007FE5151CE598h 0x00000026 push di 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c jmp 00007FE5151CE686h 0x0000002e cmp esi, eax 0x00000030 jmp 00007FE5151CE74Bh 0x00000035 jl 00007FE5151CE4DBh 0x0000003b jnl 00007FE5151CE4D5h 0x00000041 ja 00007FE5151CD721h 0x00000047 movzx ecx, byte ptr [ebp+00h] 0x0000004b jmp 00007FE5151CE5EFh 0x0000004d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFDBDC second address: 000000006CCFDDC5 instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 stc 0x00000004 jnc 00007FE5150D13C2h 0x00000006 shl bp, cl 0x00000009 jmp 00007FE5150D14A1h 0x0000000e push esi 0x0000000f xchg bp, ax 0x00000012 pushfd 0x00000013 jmp 00007FE5150D13B7h 0x00000015 inc bp 0x00000017 jnc 00007FE5150D13DAh 0x00000019 jc 00007FE5150D13D8h 0x0000001b push edi 0x0000001c xchg dh, dl 0x0000001e xchg dl, cl 0x00000020 jmp 00007FE5150D13E5h 0x00000022 sub esp, 00000000h 0x00000025 jbe 00007FE5150D141Ah 0x00000027 mov ecx, dword ptr [esp] 0x0000002a lea edx, dword ptr [esi+esi] 0x0000002d add dx, bx 0x00000030 jmp 00007FE5150D144Bh 0x00000032 pop ebp 0x00000033 sub esp, 03h 0x00000036 jbe 00007FE5150D13E3h 0x00000038 rol esi, cl 0x0000003a add esp, 01h 0x0000003d lea esp, dword ptr [esp+02h] 0x00000041 jmp 00007FE5150D15C9h 0x00000046 add esp, 04h 0x00000049 jno 00007FE5150D1388h 0x0000004b pop edi 0x0000004c rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8B7C second address: 000000006CCF8BB9 instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [00000000h+esi*4] 0x00000009 neg cx 0x0000000c jmp 00007FE5151CE63Eh 0x0000000e lea eax, dword ptr [eax+ecx] 0x00000011 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8BB9 second address: 000000006CCF8B0F instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp+04h] 0x00000006 retn 0008h 0x00000009 sub ebp, 04h 0x0000000c rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8B0F second address: 000000006CCF8C6A instructions: 0x00000000 rdtsc 0x00000002 xchg dh, ch 0x00000004 jmp 00007FE5151CE7ADh 0x00000009 not eax 0x0000000b not ax 0x0000000e mov edx, edi 0x00000010 mov ecx, dword ptr [edx] 0x00000012 jmp 00007FE5151CE5BFh 0x00000014 mov eax, edx 0x00000016 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8C6A second address: 000000006CCF8C3A instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 jne 00007FE5150D13CDh 0x00000005 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCEEAC9 second address: 000000006CCEEEF8 instructions: 0x00000000 rdtsc 0x00000002 mov dl, F2h 0x00000004 bswap ecx 0x00000006 call 00007FE5151CE5EAh 0x0000000b jmp 00007FE5151CE63Bh 0x0000000d lea ebx, dword ptr [ebx+55h] 0x00000010 lea ecx, dword ptr [00000000h+ebx*4] 0x00000017 bsr bp, cx 0x0000001b rcl ecx, 19h 0x0000001e xchg dword ptr [esp+04h], ebx 0x00000022 jmp 00007FE5151CEA6Bh 0x00000027 mov al, F1h 0x00000029 rcl bx, 1 0x0000002c inc bx 0x0000002e sub esp, 1Eh 0x00000031 ror ax, 0002h 0x00000035 lea esp, dword ptr [esp+02h] 0x00000039 jmp 00007FE5151CE5D0h 0x0000003b push dword ptr [esp+20h] 0x0000003f retn 0024h 0x00000042 lea edi, dword ptr [esp+0Ch] 0x00000046 mov dl, byte ptr [esp] 0x00000049 jmp 00007FE5151CEA7Ah 0x0000004e sub esp, 000000B4h 0x00000054 mov ebp, esp 0x00000056 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF9089 second address: 000000006CCF907A instructions: 0x00000000 rdtsc 0x00000002 pop eax 0x00000003 lea esi, dword ptr [esi-00000153h] 0x00000009 mov dh, BBh 0x0000000b mov dh, byte ptr [esp] 0x0000000e jmp 00007FE5150D13CFh 0x00000010 mov eax, 75B25F11h 0x00000015 lea edx, dword ptr [00000000h+eax*4] 0x0000001c xchg dword ptr [esp+10h], esi 0x00000020 push edi 0x00000021 mov byte ptr [esp], al 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD034FB second address: 000000006CD0353D instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 call 00007FE5150D13E3h 0x00000008 push esp 0x00000009 mov esi, dword ptr [esp+03h] 0x0000000d bswap eax 0x0000000f mov byte ptr [esp+01h], cl 0x00000013 mov word ptr [esp+01h], sp 0x00000018 jmp 00007FE5150D1429h 0x0000001a xchg dword ptr [esp+04h], ebp 0x0000001e pushad 0x0000001f inc cx 0x00000021 bsf di, bx 0x00000025 pop esi 0x00000026 clc 0x00000027 jmp 00007FE5150D13DDh 0x00000029 lea ebp, dword ptr [ebp-0000003Ch] 0x0000002f mov cl, dl 0x00000031 bsr edi, ecx 0x00000034 cmc 0x00000035 cmc 0x00000036 jmp 00007FE5150D144Dh 0x00000038 xchg dword ptr [esp+20h], ebp 0x0000003c inc cl 0x0000003e cmc 0x0000003f setne dh 0x00000042 lea edi, dword ptr [ecx+ebp] 0x00000045 push dword ptr [esp+20h] 0x00000049 retn 0024h 0x0000004c bswap edx 0x0000004e jmp 00007FE5150D1474h 0x00000050 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB85B second address: 000000006CCFB903 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [eax+ebx] 0x00000005 jmp 00007FE5151CE5EFh 0x00000007 cmp eax, 9DA45E12h 0x0000000c push si 0x0000000e lea esp, dword ptr [esp+02h] 0x00000012 jmp 00007FE5151CE63Eh 0x00000014 pop esi 0x00000015 mov al, dl 0x00000017 mov al, dl 0x00000019 clc 0x0000001a jnp 00007FE5151CE5F4h 0x0000001c jp 00007FE5151CE686h 0x0000001e pop ebp 0x0000001f mov ch, 2Fh 0x00000021 mov ax, BE00h 0x00000025 or eax, ebx 0x00000027 jnle 00007FE5151CE5D1h 0x00000029 jle 00007FE5151CE5B9h 0x0000002b add esp, 04h 0x0000002e jnbe 00007FE5151CE63Bh 0x00000030 pushfd 0x00000031 mov cx, word ptr [esp+02h] 0x00000036 jmp 00007FE5151CE5F4h 0x00000038 lea edi, dword ptr [ecx+ebx] 0x0000003b mov edi, dword ptr [esp+04h] 0x0000003f mov edx, 6C4C3A78h 0x00000044 push dx 0x00000046 jmp 00007FE5151CE620h 0x00000048 lea esp, dword ptr [esp+02h] 0x0000004c lea esp, dword ptr [esp+08h] 0x00000050 call 00007FE5151CE641h 0x00000055 mov ax, dx 0x00000058 mov cl, B9h 0x0000005a bt dx, bx 0x0000005e xchg dword ptr [esp], ecx 0x00000061 jmp 00007FE5151CE5EEh 0x00000063 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD0353D second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ecx+000000CFh] 0x00000008 mov cl, ch 0x0000000a mov al, 0Ch 0x0000000c mov esi, eax 0x0000000e sub esp, 0Bh 0x00000011 jmp 00007FE5150D1424h 0x00000013 jle 00007FE5150D1420h 0x00000015 mov al, ah 0x00000017 lea esp, dword ptr [esp+03h] 0x0000001b jmp 00007FE5150D141Eh 0x0000001d jmp 00007FE5150D13E4h 0x0000001f add esp, 08h 0x00000022 jo 00007FE5150D1431h 0x00000024 jno 00007FE5150D142Fh 0x00000026 pop esi 0x00000027 xchg ch, al 0x00000029 pushfd 0x0000002a jmp 00007FE5150D13E6h 0x0000002c mov cl, 90h 0x0000002e bswap edx 0x00000030 jmp 00007FE5150D1418h 0x00000032 add esp, 04h 0x00000035 jmp 00007FE5150D151Eh 0x0000003a jne 00007FE5150D12E8h 0x00000040 pop ebp 0x00000041 mov di, word ptr [esp] 0x00000045 xchg ah, al 0x00000047 mov ah, 7Dh 0x00000049 jmp 00007FE5150D14BCh 0x0000004e bsr ax, bp 0x00000052 jnbe 00007FE5150D138Ch 0x00000054 pop edi 0x00000055 jmp 00007FE5150BA9BCh 0x0000005a mov ebx, ebp 0x0000005c lea eax, dword ptr [esp+ecx] 0x0000005f setle ah 0x00000062 sets dl 0x00000065 call 00007FE5150D13DFh 0x0000006a xchg cl, ch 0x0000006c pushad 0x0000006d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFBA9C second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [esp] 0x00000005 jmp 00007FE5150C27B9h 0x0000000a movzx ecx, byte ptr [ebp+00h] 0x0000000e jmp 00007FE5150D13DFh 0x00000010 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECCAF second address: 000000006CCECC9D instructions: 0x00000000 rdtsc 0x00000002 neg al 0x00000004 neg al 0x00000006 push sp 0x00000008 jmp 00007FE5151CE5EFh 0x0000000a lea esp, dword ptr [esp+02h] 0x0000000e xchg dword ptr [esp], ebx 0x00000011 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD01465 second address: 000000006CD0146C instructions: 0x00000000 rdtsc 0x00000002 not ah 0x00000004 ror cl, 00000000h 0x00000007 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD03196 second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 jmp 00007FE5151CE738h 0x00000008 jo 00007FE5151CE4EEh 0x0000000e mov edx, 4C97B051h 0x00000013 neg edx 0x00000015 jmp 00007FE5151CE593h 0x00000017 mov eax, dword ptr [esi] 0x0000001a setnl dh 0x0000001d jmp 00007FE5151CE62Ch 0x0000001f mov dh, cl 0x00000021 call 00007FE5151CE5F4h 0x00000026 sub esi, 04h 0x00000029 mov edx, esi 0x0000002b lea edx, dword ptr [esp+esi] 0x0000002e pushfd 0x0000002f jmp 00007FE5151CE63Eh 0x00000031 btc ecx, ecx 0x00000034 jle 00007FE5151CE5F7h 0x00000036 jnle 00007FE5151CE5F5h 0x00000038 mov dword ptr [esi], eax 0x0000003a lea ecx, dword ptr [ebp+00003F07h] 0x00000040 bts cx, bx 0x00000044 jmp 00007FE5151CE699h 0x00000049 jc 00007FE5151CE598h 0x0000004b xchg dh, cl 0x0000004d mov dx, FA48h 0x00000051 jmp 00007FE5151CCBBCh 0x00000056 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECE3D second address: 000000006CCECEB5 instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 jnbe 00007FE5150D1436h 0x00000005 not ax 0x00000008 call 00007FE5150D13E7h 0x0000000d mov ax, di 0x00000010 jmp 00007FE5150D141Bh 0x00000012 mov edx, dword ptr [esp] 0x00000015 add esp, 02h 0x00000018 jmp 00007FE5150D145Dh 0x0000001a jnle 00007FE5150D13A9h 0x0000001c mov dl, dh 0x0000001e mov dh, byte ptr [esp+01h] 0x00000022 call 00007FE5150D1439h 0x00000027 lea esp, dword ptr [esp+02h] 0x0000002b jmp 00007FE5150D13E6h 0x0000002d add cl, bl 0x0000002f rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD01BCB second address: 000000006CD01E93 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 11h 0x00000005 mov word ptr [esp+07h], ax 0x0000000a inc dx 0x0000000c jmp 00007FE5151CE62Dh 0x0000000e lea esp, dword ptr [esp+01h] 0x00000012 lea edi, dword ptr [edi-0000002Bh] 0x00000018 bswap edx 0x0000001a adc edx, ecx 0x0000001c dec dh 0x0000001e setb ah 0x00000021 jmp 00007FE5151CEC5Fh 0x00000026 xchg dword ptr [esp+10h], edi 0x0000002a bsr eax, ecx 0x0000002d sub eax, esi 0x0000002f push dword ptr [esp+10h] 0x00000033 retn 0014h 0x00000036 mov edx, eax 0x00000038 mov eax, ebp 0x0000003a btr eax, ebp 0x0000003d jmp 00007FE5151CEA20h 0x00000042 jl 00007FE5151CE7AAh 0x00000048 mov eax, esi 0x0000004a inc cl 0x0000004c bsr dx, ax 0x00000050 jmp 00007FE5151CE269h 0x00000055 jnp 00007FE5151CE6EEh 0x0000005b mov edx, dword ptr [esp] 0x0000005e xchg eax, edx 0x0000005f jmp 00007FE5151CE4F1h 0x00000064 bsf edx, ebp 0x00000067 jmp 00007FE5151CE807h 0x0000006c pushad 0x0000006d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF9089 second address: 000000006CCF907A instructions: 0x00000000 rdtsc 0x00000002 pop eax 0x00000003 lea esi, dword ptr [esi-00000153h] 0x00000009 mov dh, BBh 0x0000000b mov dh, byte ptr [esp] 0x0000000e jmp 00007FE5151CE5DFh 0x00000010 mov eax, 75B25F11h 0x00000015 lea edx, dword ptr [00000000h+eax*4] 0x0000001c xchg dword ptr [esp+10h], esi 0x00000020 push edi 0x00000021 mov byte ptr [esp], al 0x00000024 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD0353D second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ecx+000000CFh] 0x00000008 mov cl, ch 0x0000000a mov al, 0Ch 0x0000000c mov esi, eax 0x0000000e sub esp, 0Bh 0x00000011 jmp 00007FE5151CE634h 0x00000013 jle 00007FE5151CE630h 0x00000015 mov al, ah 0x00000017 lea esp, dword ptr [esp+03h] 0x0000001b jmp 00007FE5151CE62Eh 0x0000001d jmp 00007FE5151CE5F4h 0x0000001f add esp, 08h 0x00000022 jo 00007FE5151CE641h 0x00000024 jno 00007FE5151CE63Fh 0x00000026 pop esi 0x00000027 xchg ch, al 0x00000029 pushfd 0x0000002a jmp 00007FE5151CE5F6h 0x0000002c mov cl, 90h 0x0000002e bswap edx 0x00000030 jmp 00007FE5151CE628h 0x00000032 add esp, 04h 0x00000035 jmp 00007FE5151CE72Eh 0x0000003a jne 00007FE5151CE4F8h 0x00000040 pop ebp 0x00000041 mov di, word ptr [esp] 0x00000045 xchg ah, al 0x00000047 mov ah, 7Dh 0x00000049 jmp 00007FE5151CE6CCh 0x0000004e bsr ax, bp 0x00000052 jnbe 00007FE5151CE59Ch 0x00000054 pop edi 0x00000055 jmp 00007FE5151B7BCCh 0x0000005a mov ebx, ebp 0x0000005c lea eax, dword ptr [esp+ecx] 0x0000005f setle ah 0x00000062 sets dl 0x00000065 call 00007FE5151CE5EFh 0x0000006a xchg cl, ch 0x0000006c pushad 0x0000006d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD03196 second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 jmp 00007FE5150D1528h 0x00000008 jo 00007FE5150D12DEh 0x0000000e mov edx, 4C97B051h 0x00000013 neg edx 0x00000015 jmp 00007FE5150D1383h 0x00000017 mov eax, dword ptr [esi] 0x0000001a setnl dh 0x0000001d jmp 00007FE5150D141Ch 0x0000001f mov dh, cl 0x00000021 call 00007FE5150D13E4h 0x00000026 sub esi, 04h 0x00000029 mov edx, esi 0x0000002b lea edx, dword ptr [esp+esi] 0x0000002e pushfd 0x0000002f jmp 00007FE5150D142Eh 0x00000031 btc ecx, ecx 0x00000034 jle 00007FE5150D13E7h 0x00000036 jnle 00007FE5150D13E5h 0x00000038 mov dword ptr [esi], eax 0x0000003a lea ecx, dword ptr [ebp+00003F07h] 0x00000040 bts cx, bx 0x00000044 jmp 00007FE5150D1489h 0x00000049 jc 00007FE5150D1388h 0x0000004b xchg dh, cl 0x0000004d mov dx, FA48h 0x00000051 jmp 00007FE5150CF9ACh 0x00000056 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD0345B second address: 000000006CD034FB instructions: 0x00000000 rdtsc 0x00000002 mov ch, bh 0x00000004 stc 0x00000005 mov eax, dword ptr [esp] 0x00000008 jmp 00007FE5150D1419h 0x0000000a mov dl, E0h 0x0000000c push dword ptr [esp+18h] 0x00000010 retn 001Ch 0x00000013 mov edi, dword ptr [ebp+00h] 0x00000016 lea eax, dword ptr [edx+ebx] 0x00000019 setnle cl 0x0000001c mov eax, B0A52D3Ah 0x00000021 jmp 00007FE5150D15E9h 0x00000026 push bx 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c add ebp, 04h 0x0000002f mov dx, word ptr [esp] 0x00000033 mov ecx, edx 0x00000035 jmp 00007FE5150D1345h 0x0000003a push esi 0x0000003b neg ah 0x0000003d jnle 00007FE5150D13A7h 0x0000003f not ch 0x00000041 cmc 0x00000042 jmp 00007FE5150D1382h 0x00000044 push edi 0x00000045 neg ecx 0x00000047 jne 00007FE5150D13E6h 0x00000049 jmp 00007FE5150D1454h 0x0000004b clc 0x0000004c rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD0345B second address: 000000006CD034FB instructions: 0x00000000 rdtsc 0x00000002 mov ch, bh 0x00000004 stc 0x00000005 mov eax, dword ptr [esp] 0x00000008 jmp 00007FE5151CE629h 0x0000000a mov dl, E0h 0x0000000c push dword ptr [esp+18h] 0x00000010 retn 001Ch 0x00000013 mov edi, dword ptr [ebp+00h] 0x00000016 lea eax, dword ptr [edx+ebx] 0x00000019 setnle cl 0x0000001c mov eax, B0A52D3Ah 0x00000021 jmp 00007FE5151CE7F9h 0x00000026 push bx 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c add ebp, 04h 0x0000002f mov dx, word ptr [esp] 0x00000033 mov ecx, edx 0x00000035 jmp 00007FE5151CE555h 0x0000003a push esi 0x0000003b neg ah 0x0000003d jnle 00007FE5151CE5B7h 0x0000003f not ch 0x00000041 cmc 0x00000042 jmp 00007FE5151CE592h 0x00000044 push edi 0x00000045 neg ecx 0x00000047 jne 00007FE5151CE5F6h 0x00000049 jmp 00007FE5151CE664h 0x0000004b clc 0x0000004c rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFAD3A second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+ebx*4] 0x00000009 mov ecx, D5B43DB6h 0x0000000e jmp 00007FE5150C3289h 0x00000013 mov ebx, ebp 0x00000015 lea eax, dword ptr [esp+ecx] 0x00000018 setle ah 0x0000001b sets dl 0x0000001e call 00007FE5150D13DFh 0x00000023 xchg cl, ch 0x00000025 pushad 0x00000026 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFAD3A second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+ebx*4] 0x00000009 mov ecx, D5B43DB6h 0x0000000e jmp 00007FE5151C0499h 0x00000013 mov ebx, ebp 0x00000015 lea eax, dword ptr [esp+ecx] 0x00000018 setle ah 0x0000001b sets dl 0x0000001e call 00007FE5151CE5EFh 0x00000023 xchg cl, ch 0x00000025 pushad 0x00000026 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD0457D second address: 000000006CD0457F instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFE1D1 second address: 000000006CCFE3D9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 xchg word ptr [esp], ax 0x00000007 lea ecx, dword ptr [ecx+esi] 0x0000000a xchg dword ptr [esp+04h], esi 0x0000000e jmp 00007FE5150D1406h 0x00000010 cmc 0x00000011 neg al 0x00000013 dec cx 0x00000015 lea ecx, dword ptr [00000000h+edi*4] 0x0000001c mov eax, 63E4BEA4h 0x00000021 jmp 00007FE5150D15E0h 0x00000026 lea esi, dword ptr [esi+2Ah] 0x00000029 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD121EC second address: 000000006CD121EE instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB709 second address: 000000006CCFB85B instructions: 0x00000000 rdtsc 0x00000002 mov ah, byte ptr [esp] 0x00000005 jmp 00007FE5150D141Dh 0x00000007 mov dh, byte ptr [esp] 0x0000000a jmp 00007FE5150D1430h 0x0000000c mov ecx, edi 0x0000000e mov esi, dword ptr [ecx] 0x00000010 bsf ecx, ecx 0x00000013 jnp 00007FE5150D13E3h 0x00000015 jmp 00007FE5150D1495h 0x0000001a mov al, 96h 0x0000001c xchg edx, ecx 0x0000001e add edi, 04h 0x00000021 jmp 00007FE5150D13B9h 0x00000023 btc edx, esi 0x00000026 je 00007FE5150D13E7h 0x00000028 bsr eax, edi 0x0000002b setnl dh 0x0000002e jmp 00007FE5150D141Ch 0x00000030 push ebp 0x00000031 lea ecx, dword ptr [ecx+esi] 0x00000034 call 00007FE5150D13E2h 0x00000039 mov ch, byte ptr [esp] 0x0000003c push esi 0x0000003d jmp 00007FE5150D1482h 0x00000042 and ebp, esi 0x00000044 jns 00007FE5150D13CEh 0x00000046 mov cx, word ptr [esp] 0x0000004a mov cl, byte ptr [esp] 0x0000004d jmp 00007FE5150D13DFh 0x0000004f dec ax 0x00000051 push edi 0x00000052 mov dx, 9280h 0x00000056 mov dx, B8F4h 0x0000005a jmp 00007FE5150D1418h 0x0000005c mov bp, word ptr [esp] 0x00000060 sbb ax, bp 0x00000063 jmp 00007FE5150D1449h 0x00000065 jnc 00007FE5150D13BDh 0x00000067 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB903 second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 sub edx, eax 0x00000004 mov ax, bx 0x00000007 add dx, dx 0x0000000a mov ah, E4h 0x0000000c jmp 00007FE5150D1418h 0x0000000e lea ecx, dword ptr [ecx-0000ED1Ch] 0x00000014 mov dx, AE09h 0x00000018 mov eax, dword ptr [esp] 0x0000001b btc ax, si 0x0000001f call 00007FE5150D16BDh 0x00000024 xchg dword ptr [esp+04h], ecx 0x00000028 mov ch, byte ptr [esp] 0x0000002b jmp 00007FE5150D1233h 0x00000030 sub esp, 16h 0x00000033 mov ax, word ptr [esp+07h] 0x00000038 mov ecx, dword ptr [esp+12h] 0x0000003c add esp, 07h 0x0000003f lea esp, dword ptr [esp+03h] 0x00000043 push dword ptr [esp+10h] 0x00000047 retn 0014h 0x0000004a mov ebx, ebp 0x0000004c lea eax, dword ptr [esp+ecx] 0x0000004f setle ah 0x00000052 sets dl 0x00000055 call 00007FE5150D13DFh 0x0000005a xchg cl, ch 0x0000005c pushad 0x0000005d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECBBE second address: 000000006CCECBE2 instructions: 0x00000000 rdtsc 0x00000002 mov al, bh 0x00000004 xchg dword ptr [esp+20h], esi 0x00000008 jmp 00007FE5151CE62Ch 0x0000000a rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECBE2 second address: 000000006CCECCAF instructions: 0x00000000 rdtsc 0x00000002 xchg ecx, edx 0x00000004 mov ax, word ptr [esp] 0x00000008 mov edx, B68AAC39h 0x0000000d lea esi, dword ptr [esi-00000052h] 0x00000013 xchg eax, edx 0x00000014 jmp 00007FE5150D1423h 0x00000016 mov edx, ecx 0x00000018 lea eax, dword ptr [00000000h+edi*4] 0x0000001f mov dx, 208Bh 0x00000023 xchg dword ptr [esp+20h], esi 0x00000027 mov cl, ch 0x00000029 xchg dx, ax 0x0000002c jmp 00007FE5150D13D3h 0x0000002e xchg dx, ax 0x00000031 mov ecx, dword ptr [esp] 0x00000034 push dword ptr [esp+20h] 0x00000038 retn 0024h 0x0000003b mov eax, 12F33EA2h 0x00000040 xor cl, 00000044h 0x00000043 jnl 00007FE5150D14E0h 0x00000049 jl 00007FE5150D14BCh 0x0000004f pushfd 0x00000050 mov dx, cx 0x00000053 mov dh, 56h 0x00000055 jmp 00007FE5150D1471h 0x00000057 lea eax, dword ptr [ebx-03h] 0x0000005a lea ecx, dword ptr [ecx-0F5291AAh] 0x00000060 jmp 00007FE5150D13ADh 0x00000062 lea esp, dword ptr [esp+04h] 0x00000066 sub ebp, 1284C013h 0x0000006c call 00007FE5150D141Ch 0x00000071 mov ecx, dword ptr [esp] 0x00000074 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECC9D second address: 000000006CCECCC5 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 93656786h 0x00000007 jmp 00007FE5150D1415h 0x00000009 mov edx, dword ptr [esp] 0x0000000c lea ebx, dword ptr [ebx-00000034h] 0x00000012 shr eax, 0Ch 0x00000015 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECE39 second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5151CE5CFh 0x00000004 xor ebp, 2D4823BBh 0x0000000a mov ah, byte ptr [esp] 0x0000000d clc 0x0000000e je 00007FE5151CE5F0h 0x00000010 jne 00007FE5151CE61Ah 0x00000012 mov eax, 09013DC9h 0x00000017 sub esp, 19h 0x0000001a lea esp, dword ptr [esp+01h] 0x0000001e jmp 00007FE5151CE696h 0x00000023 add ebp, dword ptr [esi] 0x00000025 lea eax, dword ptr [00000000h+edx*4] 0x0000002c xchg ch, cl 0x0000002e jmp 00007FE5151CE5BDh 0x00000030 movzx ecx, byte ptr [ebp+00h] 0x00000034 jmp 00007FE5151CE5EFh 0x00000036 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCED042 second address: 000000006CCED0C7 instructions: 0x00000000 rdtsc 0x00000002 btr eax, ebp 0x00000005 jnp 00007FE5151CE659h 0x00000007 mov dx, word ptr [esp] 0x0000000b jmp 00007FE5151CE642h 0x0000000d inc ebp 0x0000000e rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCEDC6E second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 and cx, si 0x00000005 jnc 00007FE5150D142Eh 0x00000007 jmp 00007FE5150D13EAh 0x00000009 mov dx, word ptr [esp] 0x0000000d jmp 00007FE5150D1428h 0x0000000f sub esp, 02h 0x00000012 jne 00007FE5150D1441h 0x00000014 lea eax, dword ptr [esp+edi] 0x00000017 lea esp, dword ptr [esp+02h] 0x0000001b jmp 00007FE5150D1434h 0x0000001d lea eax, dword ptr [edi+50h] 0x00000020 xchg dx, cx 0x00000023 stc 0x00000024 jc 00007FE5150D1388h 0x00000026 push di 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c jmp 00007FE5150D1476h 0x0000002e cmp esi, eax 0x00000030 jmp 00007FE5150D153Bh 0x00000035 jl 00007FE5150D12CBh 0x0000003b jnl 00007FE5150D12C5h 0x00000041 ja 00007FE5150D0511h 0x00000047 movzx ecx, byte ptr [ebp+00h] 0x0000004b jmp 00007FE5150D13DFh 0x0000004d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFDBDC second address: 000000006CCFDDC5 instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 stc 0x00000004 jnc 00007FE5151CE5D2h 0x00000006 shl bp, cl 0x00000009 jmp 00007FE5151CE6B1h 0x0000000e push esi 0x0000000f xchg bp, ax 0x00000012 pushfd 0x00000013 jmp 00007FE5151CE5C7h 0x00000015 inc bp 0x00000017 jnc 00007FE5151CE5EAh 0x00000019 jc 00007FE5151CE5E8h 0x0000001b push edi 0x0000001c xchg dh, dl 0x0000001e xchg dl, cl 0x00000020 jmp 00007FE5151CE5F5h 0x00000022 sub esp, 00000000h 0x00000025 jbe 00007FE5151CE62Ah 0x00000027 mov ecx, dword ptr [esp] 0x0000002a lea edx, dword ptr [esi+esi] 0x0000002d add dx, bx 0x00000030 jmp 00007FE5151CE65Bh 0x00000032 pop ebp 0x00000033 sub esp, 03h 0x00000036 jbe 00007FE5151CE5F3h 0x00000038 rol esi, cl 0x0000003a add esp, 01h 0x0000003d lea esp, dword ptr [esp+02h] 0x00000041 jmp 00007FE5151CE7D9h 0x00000046 add esp, 04h 0x00000049 jno 00007FE5151CE598h 0x0000004b pop edi 0x0000004c rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8B7C second address: 000000006CCF8BB9 instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [00000000h+esi*4] 0x00000009 neg cx 0x0000000c jmp 00007FE5150D142Eh 0x0000000e lea eax, dword ptr [eax+ecx] 0x00000011 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8B0F second address: 000000006CCF8C6A instructions: 0x00000000 rdtsc 0x00000002 xchg dh, ch 0x00000004 jmp 00007FE5150D159Dh 0x00000009 not eax 0x0000000b not ax 0x0000000e mov edx, edi 0x00000010 mov ecx, dword ptr [edx] 0x00000012 jmp 00007FE5150D13AFh 0x00000014 mov eax, edx 0x00000016 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8C6A second address: 000000006CCF8C3A instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 jne 00007FE5151CE5DDh 0x00000005 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD034FB second address: 000000006CD0353D instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 call 00007FE5151CE5F3h 0x00000008 push esp 0x00000009 mov esi, dword ptr [esp+03h] 0x0000000d bswap eax 0x0000000f mov byte ptr [esp+01h], cl 0x00000013 mov word ptr [esp+01h], sp 0x00000018 jmp 00007FE5151CE639h 0x0000001a xchg dword ptr [esp+04h], ebp 0x0000001e pushad 0x0000001f inc cx 0x00000021 bsf di, bx 0x00000025 pop esi 0x00000026 clc 0x00000027 jmp 00007FE5151CE5EDh 0x00000029 lea ebp, dword ptr [ebp-0000003Ch] 0x0000002f mov cl, dl 0x00000031 bsr edi, ecx 0x00000034 cmc 0x00000035 cmc 0x00000036 jmp 00007FE5151CE65Dh 0x00000038 xchg dword ptr [esp+20h], ebp 0x0000003c inc cl 0x0000003e cmc 0x0000003f setne dh 0x00000042 lea edi, dword ptr [ecx+ebp] 0x00000045 push dword ptr [esp+20h] 0x00000049 retn 0024h 0x0000004c bswap edx 0x0000004e jmp 00007FE5151CE684h 0x00000050 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFBA9C second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [esp] 0x00000005 jmp 00007FE5151BF9C9h 0x0000000a movzx ecx, byte ptr [ebp+00h] 0x0000000e jmp 00007FE5151CE5EFh 0x00000010 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD01BCB second address: 000000006CD01E93 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 11h 0x00000005 mov word ptr [esp+07h], ax 0x0000000a inc dx 0x0000000c jmp 00007FE5150D141Dh 0x0000000e lea esp, dword ptr [esp+01h] 0x00000012 lea edi, dword ptr [edi-0000002Bh] 0x00000018 bswap edx 0x0000001a adc edx, ecx 0x0000001c dec dh 0x0000001e setb ah 0x00000021 jmp 00007FE5150D1A4Fh 0x00000026 xchg dword ptr [esp+10h], edi 0x0000002a bsr eax, ecx 0x0000002d sub eax, esi 0x0000002f push dword ptr [esp+10h] 0x00000033 retn 0014h 0x00000036 mov edx, eax 0x00000038 mov eax, ebp 0x0000003a btr eax, ebp 0x0000003d jmp 00007FE5150D1810h 0x00000042 jl 00007FE5150D159Ah 0x00000048 mov eax, esi 0x0000004a inc cl 0x0000004c bsr dx, ax 0x00000050 jmp 00007FE5150D1059h 0x00000055 jnp 00007FE5150D14DEh 0x0000005b mov edx, dword ptr [esp] 0x0000005e xchg eax, edx 0x0000005f jmp 00007FE5150D12E1h 0x00000064 bsf edx, ebp 0x00000067 jmp 00007FE5150D15F7h 0x0000006c pushad 0x0000006d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCEA7C8 second address: 000000006CCEA807 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5151CE5ECh 0x00000004 sub esp, 000000A0h 0x0000000a call 00007FE5151CE665h 0x0000000f setno bl 0x00000012 mov al, byte ptr [esp] 0x00000015 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD039C4 second address: 000000006CD039F9 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+02h] 0x00000006 jmp 00007FE5150D13D5h 0x00000008 lea ebp, dword ptr [ebp-00000520h] 0x0000000e xchg eax, edx 0x0000000f lea eax, dword ptr [00000000h+ecx*4] 0x00000016 jmp 00007FE5150D143Ch 0x00000018 mov dx, bp 0x0000001b lea eax, dword ptr [edi+ebp] 0x0000001e not eax 0x00000020 xchg dword ptr [esp+3Ch], ebp 0x00000024 bsf dx, di 0x00000028 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFE1D1 second address: 000000006CCFE3D9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 xchg word ptr [esp], ax 0x00000007 lea ecx, dword ptr [ecx+esi] 0x0000000a xchg dword ptr [esp+04h], esi 0x0000000e jmp 00007FE5151CE616h 0x00000010 cmc 0x00000011 neg al 0x00000013 dec cx 0x00000015 lea ecx, dword ptr [00000000h+edi*4] 0x0000001c mov eax, 63E4BEA4h 0x00000021 jmp 00007FE5151CE7F0h 0x00000026 lea esi, dword ptr [esi+2Ah] 0x00000029 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCEA7C8 second address: 000000006CCEA807 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D13DCh 0x00000004 sub esp, 000000A0h 0x0000000a call 00007FE5150D1455h 0x0000000f setno bl 0x00000012 mov al, byte ptr [esp] 0x00000015 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD039C4 second address: 000000006CD039F9 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+02h] 0x00000006 jmp 00007FE5151CE5E5h 0x00000008 lea ebp, dword ptr [ebp-00000520h] 0x0000000e xchg eax, edx 0x0000000f lea eax, dword ptr [00000000h+ecx*4] 0x00000016 jmp 00007FE5151CE64Ch 0x00000018 mov dx, bp 0x0000001b lea eax, dword ptr [edi+ebp] 0x0000001e not eax 0x00000020 xchg dword ptr [esp+3Ch], ebp 0x00000024 bsf dx, di 0x00000028 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A396 second address: 000000006CD3A359 instructions: 0x00000000 rdtsc 0x00000002 bswap ecx 0x00000004 mov dh, byte ptr [esp] 0x00000007 jmp 00007FE5151CE4E8h 0x0000000c add esi, 02h 0x0000000f btr cx, ax 0x00000013 jno 00007FE5151CE6EDh 0x00000019 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A359 second address: 000000006CD3A2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D1351h 0x00000007 not cl 0x00000009 call 00007FE5150D144Dh 0x0000000e lea edx, dword ptr [00000000h+esi*4] 0x00000015 mov cx, E8B9h 0x00000019 rcl dx, cl 0x0000001c btc cx, ax 0x00000020 xchg al, cl 0x00000022 jmp 00007FE5150D13C9h 0x00000024 xchg dword ptr [esp], edi 0x00000027 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A2DB second address: 000000006CD3A2D0 instructions: 0x00000000 rdtsc 0x00000002 btc eax, ebx 0x00000005 mov eax, edx 0x00000007 xchg ch, ah 0x00000009 lea edi, dword ptr [edi-0004D459h] 0x0000000f jmp 00007FE5151CE5E8h 0x00000011 mov eax, edi 0x00000013 mov dx, EA8Dh 0x00000017 lea ecx, dword ptr [ebx+52h] 0x0000001a xchg dword ptr [esp], edi 0x0000001d bswap edx 0x0000001f rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A2D0 second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D1455h 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a movzx ecx, byte ptr [ebp+00h] 0x0000000e jmp 00007FE5150D13DFh 0x00000010 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCEEAC9 second address: 000000006CCEEEF8 instructions: 0x00000000 rdtsc 0x00000002 mov dl, F2h 0x00000004 bswap ecx 0x00000006 call 00007FE5150D13DAh 0x0000000b jmp 00007FE5150D142Bh 0x0000000d lea ebx, dword ptr [ebx+55h] 0x00000010 lea ecx, dword ptr [00000000h+ebx*4] 0x00000017 bsr bp, cx 0x0000001b rcl ecx, 19h 0x0000001e xchg dword ptr [esp+04h], ebx 0x00000022 jmp 00007FE5150D185Bh 0x00000027 mov al, F1h 0x00000029 rcl bx, 1 0x0000002c inc bx 0x0000002e sub esp, 1Eh 0x00000031 ror ax, 0002h 0x00000035 lea esp, dword ptr [esp+02h] 0x00000039 jmp 00007FE5150D13C0h 0x0000003b push dword ptr [esp+20h] 0x0000003f retn 0024h 0x00000042 lea edi, dword ptr [esp+0Ch] 0x00000046 mov dl, byte ptr [esp] 0x00000049 jmp 00007FE5150D186Ah 0x0000004e sub esp, 000000B4h 0x00000054 mov ebp, esp 0x00000056 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB709 second address: 000000006CCFB85B instructions: 0x00000000 rdtsc 0x00000002 mov ah, byte ptr [esp] 0x00000005 jmp 00007FE5151CE62Dh 0x00000007 mov dh, byte ptr [esp] 0x0000000a jmp 00007FE5151CE640h 0x0000000c mov ecx, edi 0x0000000e mov esi, dword ptr [ecx] 0x00000010 bsf ecx, ecx 0x00000013 jnp 00007FE5151CE5F3h 0x00000015 jmp 00007FE5151CE6A5h 0x0000001a mov al, 96h 0x0000001c xchg edx, ecx 0x0000001e add edi, 04h 0x00000021 jmp 00007FE5151CE5C9h 0x00000023 btc edx, esi 0x00000026 je 00007FE5151CE5F7h 0x00000028 bsr eax, edi 0x0000002b setnl dh 0x0000002e jmp 00007FE5151CE62Ch 0x00000030 push ebp 0x00000031 lea ecx, dword ptr [ecx+esi] 0x00000034 call 00007FE5151CE5F2h 0x00000039 mov ch, byte ptr [esp] 0x0000003c push esi 0x0000003d jmp 00007FE5151CE692h 0x00000042 and ebp, esi 0x00000044 jns 00007FE5151CE5DEh 0x00000046 mov cx, word ptr [esp] 0x0000004a mov cl, byte ptr [esp] 0x0000004d jmp 00007FE5151CE5EFh 0x0000004f dec ax 0x00000051 push edi 0x00000052 mov dx, 9280h 0x00000056 mov dx, B8F4h 0x0000005a jmp 00007FE5151CE628h 0x0000005c mov bp, word ptr [esp] 0x00000060 sbb ax, bp 0x00000063 jmp 00007FE5151CE659h 0x00000065 jnc 00007FE5151CE5CDh 0x00000067 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB85B second address: 000000006CCFB903 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [eax+ebx] 0x00000005 jmp 00007FE5150D13DFh 0x00000007 cmp eax, 9DA45E12h 0x0000000c push si 0x0000000e lea esp, dword ptr [esp+02h] 0x00000012 jmp 00007FE5150D142Eh 0x00000014 pop esi 0x00000015 mov al, dl 0x00000017 mov al, dl 0x00000019 clc 0x0000001a jnp 00007FE5150D13E4h 0x0000001c jp 00007FE5150D1476h 0x0000001e pop ebp 0x0000001f mov ch, 2Fh 0x00000021 mov ax, BE00h 0x00000025 or eax, ebx 0x00000027 jnle 00007FE5150D13C1h 0x00000029 jle 00007FE5150D13A9h 0x0000002b add esp, 04h 0x0000002e jnbe 00007FE5150D142Bh 0x00000030 pushfd 0x00000031 mov cx, word ptr [esp+02h] 0x00000036 jmp 00007FE5150D13E4h 0x00000038 lea edi, dword ptr [ecx+ebx] 0x0000003b mov edi, dword ptr [esp+04h] 0x0000003f mov edx, 6C4C3A78h 0x00000044 push dx 0x00000046 jmp 00007FE5150D1410h 0x00000048 lea esp, dword ptr [esp+02h] 0x0000004c lea esp, dword ptr [esp+08h] 0x00000050 call 00007FE5150D1431h 0x00000055 mov ax, dx 0x00000058 mov cl, B9h 0x0000005a bt dx, bx 0x0000005e xchg dword ptr [esp], ecx 0x00000061 jmp 00007FE5150D13DEh 0x00000063 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB903 second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 sub edx, eax 0x00000004 mov ax, bx 0x00000007 add dx, dx 0x0000000a mov ah, E4h 0x0000000c jmp 00007FE5151CE628h 0x0000000e lea ecx, dword ptr [ecx-0000ED1Ch] 0x00000014 mov dx, AE09h 0x00000018 mov eax, dword ptr [esp] 0x0000001b btc ax, si 0x0000001f call 00007FE5151CE8CDh 0x00000024 xchg dword ptr [esp+04h], ecx 0x00000028 mov ch, byte ptr [esp] 0x0000002b jmp 00007FE5151CE443h 0x00000030 sub esp, 16h 0x00000033 mov ax, word ptr [esp+07h] 0x00000038 mov ecx, dword ptr [esp+12h] 0x0000003c add esp, 07h 0x0000003f lea esp, dword ptr [esp+03h] 0x00000043 push dword ptr [esp+10h] 0x00000047 retn 0014h 0x0000004a mov ebx, ebp 0x0000004c lea eax, dword ptr [esp+ecx] 0x0000004f setle ah 0x00000052 sets dl 0x00000055 call 00007FE5151CE5EFh 0x0000005a xchg cl, ch 0x0000005c pushad 0x0000005d rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCECBBE second address: 000000006CCECBE2 instructions: 0x00000000 rdtsc 0x00000002 mov al, bh 0x00000004 xchg dword ptr [esp+20h], esi 0x00000008 jmp 00007FE5150D141Ch 0x0000000a rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCECBE2 second address: 000000006CCECCAF instructions: 0x00000000 rdtsc 0x00000002 xchg ecx, edx 0x00000004 mov ax, word ptr [esp] 0x00000008 mov edx, B68AAC39h 0x0000000d lea esi, dword ptr [esi-00000052h] 0x00000013 xchg eax, edx 0x00000014 jmp 00007FE5151CE633h 0x00000016 mov edx, ecx 0x00000018 lea eax, dword ptr [00000000h+edi*4] 0x0000001f mov dx, 208Bh 0x00000023 xchg dword ptr [esp+20h], esi 0x00000027 mov cl, ch 0x00000029 xchg dx, ax 0x0000002c jmp 00007FE5151CE5E3h 0x0000002e xchg dx, ax 0x00000031 mov ecx, dword ptr [esp] 0x00000034 push dword ptr [esp+20h] 0x00000038 retn 0024h 0x0000003b mov eax, 12F33EA2h 0x00000040 xor cl, 00000044h 0x00000043 jnl 00007FE5151CE6F0h 0x00000049 pushfd 0x0000004a mov dx, cx 0x0000004d mov dh, 56h 0x0000004f lea eax, dword ptr [ebx-03h] 0x00000052 lea ecx, dword ptr [ecx-0F5291AAh] 0x00000058 lea esp, dword ptr [esp+04h] 0x0000005c sub ebp, 1284C013h 0x00000062 call 00007FE5151CE62Ch 0x00000067 mov ecx, dword ptr [esp] 0x0000006a rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCECCAF second address: 000000006CCECC9D instructions: 0x00000000 rdtsc 0x00000002 neg al 0x00000004 neg al 0x00000006 push sp 0x00000008 jmp 00007FE5150D13DFh 0x0000000a lea esp, dword ptr [esp+02h] 0x0000000e xchg dword ptr [esp], ebx 0x00000011 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCECC9D second address: 000000006CCECCC5 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 93656786h 0x00000007 jmp 00007FE5151CE625h 0x00000009 mov edx, dword ptr [esp] 0x0000000c lea ebx, dword ptr [ebx-00000034h] 0x00000012 shr eax, 0Ch 0x00000015 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCECE39 second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D13BFh 0x00000004 xor ebp, 2D4823BBh 0x0000000a mov ah, byte ptr [esp] 0x0000000d clc 0x0000000e je 00007FE5150D13E0h 0x00000010 jne 00007FE5150D140Ah 0x00000012 mov eax, 09013DC9h 0x00000017 sub esp, 19h 0x0000001a lea esp, dword ptr [esp+01h] 0x0000001e jmp 00007FE5150D1486h 0x00000023 add ebp, dword ptr [esi] 0x00000025 lea eax, dword ptr [00000000h+edx*4] 0x0000002c xchg ch, cl 0x0000002e jmp 00007FE5150D13ADh 0x00000030 movzx ecx, byte ptr [ebp+00h] 0x00000034 jmp 00007FE5150D13DFh 0x00000036 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCECE3D second address: 000000006CCECEB5 instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 jnbe 00007FE5151CE646h 0x00000005 not ax 0x00000008 call 00007FE5151CE5F7h 0x0000000d mov ax, di 0x00000010 jmp 00007FE5151CE62Bh 0x00000012 mov edx, dword ptr [esp] 0x00000015 add esp, 02h 0x00000018 jmp 00007FE5151CE66Dh 0x0000001a jnle 00007FE5151CE5B9h 0x0000001c mov dl, dh 0x0000001e mov dh, byte ptr [esp+01h] 0x00000022 call 00007FE5151CE649h 0x00000027 lea esp, dword ptr [esp+02h] 0x0000002b jmp 00007FE5151CE5F6h 0x0000002d add cl, bl 0x0000002f rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCED042 second address: 000000006CCED0C7 instructions: 0x00000000 rdtsc 0x00000002 btr eax, ebp 0x00000005 jnp 00007FE5150D1449h 0x00000007 mov dx, word ptr [esp] 0x0000000b jmp 00007FE5150D1432h 0x0000000d inc ebp 0x0000000e rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCEDC6E second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 and cx, si 0x00000005 jnc 00007FE5151CE63Eh 0x00000007 jmp 00007FE5151CE5FAh 0x00000009 mov dx, word ptr [esp] 0x0000000d jmp 00007FE5151CE638h 0x0000000f sub esp, 02h 0x00000012 jne 00007FE5151CE651h 0x00000014 lea eax, dword ptr [esp+edi] 0x00000017 lea esp, dword ptr [esp+02h] 0x0000001b jmp 00007FE5151CE644h 0x0000001d lea eax, dword ptr [edi+50h] 0x00000020 xchg dx, cx 0x00000023 stc 0x00000024 jc 00007FE5151CE598h 0x00000026 push di 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c jmp 00007FE5151CE686h 0x0000002e cmp esi, eax 0x00000030 jmp 00007FE5151CE74Bh 0x00000035 jl 00007FE5151CE4DBh 0x0000003b jnl 00007FE5151CE4D5h 0x00000041 ja 00007FE5151CD721h 0x00000047 movzx ecx, byte ptr [ebp+00h] 0x0000004b jmp 00007FE5151CE5EFh 0x0000004d rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCFDBDC second address: 000000006CCFDDC5 instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 stc 0x00000004 jnc 00007FE5150D13C2h 0x00000006 shl bp, cl 0x00000009 jmp 00007FE5150D14A1h 0x0000000e push esi 0x0000000f xchg bp, ax 0x00000012 pushfd 0x00000013 jmp 00007FE5150D13B7h 0x00000015 inc bp 0x00000017 jnc 00007FE5150D13DAh 0x00000019 jc 00007FE5150D13D8h 0x0000001b push edi 0x0000001c xchg dh, dl 0x0000001e xchg dl, cl 0x00000020 jmp 00007FE5150D13E5h 0x00000022 sub esp, 00000000h 0x00000025 jbe 00007FE5150D141Ah 0x00000027 mov ecx, dword ptr [esp] 0x0000002a lea edx, dword ptr [esi+esi] 0x0000002d add dx, bx 0x00000030 jmp 00007FE5150D144Bh 0x00000032 pop ebp 0x00000033 sub esp, 03h 0x00000036 jbe 00007FE5150D13E3h 0x00000038 rol esi, cl 0x0000003a add esp, 01h 0x0000003d lea esp, dword ptr [esp+02h] 0x00000041 jmp 00007FE5150D15C9h 0x00000046 add esp, 04h 0x00000049 jno 00007FE5150D1388h 0x0000004b pop edi 0x0000004c rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8B7C second address: 000000006CCF8BB9 instructions: 0x00000000 rdtsc 0x00000002 lea ecx, dword ptr [00000000h+esi*4] 0x00000009 neg cx 0x0000000c jmp 00007FE5151CE63Eh 0x0000000e lea eax, dword ptr [eax+ecx] 0x00000011 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8BB9 second address: 000000006CCF8B0F instructions: 0x00000000 rdtsc 0x00000002 push dword ptr [esp+04h] 0x00000006 retn 0008h 0x00000009 sub ebp, 04h 0x0000000c rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8B0F second address: 000000006CCF8C6A instructions: 0x00000000 rdtsc 0x00000002 xchg dh, ch 0x00000004 jmp 00007FE5151CE7ADh 0x00000009 not eax 0x0000000b not ax 0x0000000e mov edx, edi 0x00000010 mov ecx, dword ptr [edx] 0x00000012 jmp 00007FE5151CE5BFh 0x00000014 mov eax, edx 0x00000016 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCF8C6A second address: 000000006CCF8C3A instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 jne 00007FE5150D13CDh 0x00000005 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCF9089 second address: 000000006CCF907A instructions: 0x00000000 rdtsc 0x00000002 pop eax 0x00000003 lea esi, dword ptr [esi-00000153h] 0x00000009 mov dh, BBh 0x0000000b mov dh, byte ptr [esp] 0x0000000e jmp 00007FE5151CE5DFh 0x00000010 mov eax, 75B25F11h 0x00000015 lea edx, dword ptr [00000000h+eax*4] 0x0000001c xchg dword ptr [esp+10h], esi 0x00000020 push edi 0x00000021 mov byte ptr [esp], al 0x00000024 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD034FB second address: 000000006CD0353D instructions: 0x00000000 rdtsc 0x00000002 push ebp 0x00000003 call 00007FE5150D13E3h 0x00000008 push esp 0x00000009 mov esi, dword ptr [esp+03h] 0x0000000d bswap eax 0x0000000f mov byte ptr [esp+01h], cl 0x00000013 mov word ptr [esp+01h], sp 0x00000018 jmp 00007FE5150D1429h 0x0000001a xchg dword ptr [esp+04h], ebp 0x0000001e pushad 0x0000001f inc cx 0x00000021 bsf di, bx 0x00000025 pop esi 0x00000026 clc 0x00000027 jmp 00007FE5150D13DDh 0x00000029 lea ebp, dword ptr [ebp-0000003Ch] 0x0000002f mov cl, dl 0x00000031 bsr edi, ecx 0x00000034 cmc 0x00000035 cmc 0x00000036 jmp 00007FE5150D144Dh 0x00000038 xchg dword ptr [esp+20h], ebp 0x0000003c inc cl 0x0000003e cmc 0x0000003f setne dh 0x00000042 lea edi, dword ptr [ecx+ebp] 0x00000045 push dword ptr [esp+20h] 0x00000049 retn 0024h 0x0000004c bswap edx 0x0000004e jmp 00007FE5150D1474h 0x00000050 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD0353D second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 lea edx, dword ptr [ecx+000000CFh] 0x00000008 mov cl, ch 0x0000000a mov al, 0Ch 0x0000000c mov esi, eax 0x0000000e sub esp, 0Bh 0x00000011 jmp 00007FE5151CE634h 0x00000013 jle 00007FE5151CE630h 0x00000015 mov al, ah 0x00000017 lea esp, dword ptr [esp+03h] 0x0000001b jmp 00007FE5151CE62Eh 0x0000001d jmp 00007FE5151CE5F4h 0x0000001f add esp, 08h 0x00000022 jo 00007FE5151CE641h 0x00000024 jno 00007FE5151CE63Fh 0x00000026 pop esi 0x00000027 xchg ch, al 0x00000029 pushfd 0x0000002a jmp 00007FE5151CE5F6h 0x0000002c mov cl, 90h 0x0000002e bswap edx 0x00000030 jmp 00007FE5151CE628h 0x00000032 add esp, 04h 0x00000035 jmp 00007FE5151CE72Eh 0x0000003a jne 00007FE5151CE4F8h 0x00000040 pop ebp 0x00000041 mov di, word ptr [esp] 0x00000045 xchg ah, al 0x00000047 mov ah, 7Dh 0x00000049 jmp 00007FE5151CE6CCh 0x0000004e bsr ax, bp 0x00000052 jnbe 00007FE5151CE59Ch 0x00000054 pop edi 0x00000055 jmp 00007FE5151B7BCCh 0x0000005a mov ebx, ebp 0x0000005c lea eax, dword ptr [esp+ecx] 0x0000005f setle ah 0x00000062 sets dl 0x00000065 call 00007FE5151CE5EFh 0x0000006a xchg cl, ch 0x0000006c pushad 0x0000006d rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCFBA9C second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [esp] 0x00000005 jmp 00007FE5150C27B9h 0x0000000a movzx ecx, byte ptr [ebp+00h] 0x0000000e jmp 00007FE5150D13DFh 0x00000010 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD01465 second address: 000000006CD0146C instructions: 0x00000000 rdtsc 0x00000002 not ah 0x00000004 ror cl, 00000000h 0x00000007 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD03196 second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 stc 0x00000003 jmp 00007FE5150D1528h 0x00000008 jo 00007FE5150D12DEh 0x0000000e mov edx, 4C97B051h 0x00000013 neg edx 0x00000015 jmp 00007FE5150D1383h 0x00000017 mov eax, dword ptr [esi] 0x0000001a setnl dh 0x0000001d jmp 00007FE5150D141Ch 0x0000001f mov dh, cl 0x00000021 call 00007FE5150D13E4h 0x00000026 sub esi, 04h 0x00000029 mov edx, esi 0x0000002b lea edx, dword ptr [esp+esi] 0x0000002e pushfd 0x0000002f jmp 00007FE5150D142Eh 0x00000031 btc ecx, ecx 0x00000034 jle 00007FE5150D13E7h 0x00000036 jnle 00007FE5150D13E5h 0x00000038 mov dword ptr [esi], eax 0x0000003a lea ecx, dword ptr [ebp+00003F07h] 0x00000040 bts cx, bx 0x00000044 jmp 00007FE5150D1489h 0x00000049 jc 00007FE5150D1388h 0x0000004b xchg dh, cl 0x0000004d mov dx, FA48h 0x00000051 jmp 00007FE5150CF9ACh 0x00000056 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD01BCB second address: 000000006CD01E93 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 11h 0x00000005 mov word ptr [esp+07h], ax 0x0000000a inc dx 0x0000000c jmp 00007FE5151CE62Dh 0x0000000e lea esp, dword ptr [esp+01h] 0x00000012 lea edi, dword ptr [edi-0000002Bh] 0x00000018 bswap edx 0x0000001a adc edx, ecx 0x0000001c dec dh 0x0000001e setb ah 0x00000021 jmp 00007FE5151CEC5Fh 0x00000026 xchg dword ptr [esp+10h], edi 0x0000002a bsr eax, ecx 0x0000002d sub eax, esi 0x0000002f push dword ptr [esp+10h] 0x00000033 retn 0014h 0x00000036 mov edx, eax 0x00000038 mov eax, ebp 0x0000003a btr eax, ebp 0x0000003d jmp 00007FE5151CEA20h 0x00000042 jl 00007FE5151CE7AAh 0x00000048 mov eax, esi 0x0000004a inc cl 0x0000004c bsr dx, ax 0x00000050 jmp 00007FE5151CE269h 0x00000055 jnp 00007FE5151CE6EEh 0x0000005b mov edx, dword ptr [esp] 0x0000005e xchg eax, edx 0x0000005f jmp 00007FE5151CE4F1h 0x00000064 bsf edx, ebp 0x00000067 jmp 00007FE5151CE807h 0x0000006c pushad 0x0000006d rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD0345B second address: 000000006CD034FB instructions: 0x00000000 rdtsc 0x00000002 mov ch, bh 0x00000004 stc 0x00000005 mov eax, dword ptr [esp] 0x00000008 jmp 00007FE5151CE629h 0x0000000a mov dl, E0h 0x0000000c push dword ptr [esp+18h] 0x00000010 retn 001Ch 0x00000013 mov edi, dword ptr [ebp+00h] 0x00000016 lea eax, dword ptr [edx+ebx] 0x00000019 setnle cl 0x0000001c mov eax, B0A52D3Ah 0x00000021 jmp 00007FE5151CE7F9h 0x00000026 push bx 0x00000028 lea esp, dword ptr [esp+02h] 0x0000002c add ebp, 04h 0x0000002f mov dx, word ptr [esp] 0x00000033 mov ecx, edx 0x00000035 jmp 00007FE5151CE555h 0x0000003a push esi 0x0000003b neg ah 0x0000003d jnle 00007FE5151CE5B7h 0x0000003f not ch 0x00000041 cmc 0x00000042 jmp 00007FE5151CE592h 0x00000044 push edi 0x00000045 neg ecx 0x00000047 jne 00007FE5151CE5F6h 0x00000049 jmp 00007FE5151CE664h 0x0000004b clc 0x0000004c rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCFAD3A second address: 000000006CCECBBE instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [00000000h+ebx*4] 0x00000009 mov ecx, D5B43DB6h 0x0000000e jmp 00007FE5150C3289h 0x00000013 mov ebx, ebp 0x00000015 lea eax, dword ptr [esp+ecx] 0x00000018 setle ah 0x0000001b sets dl 0x0000001e call 00007FE5150D13DFh 0x00000023 xchg cl, ch 0x00000025 pushad 0x00000026 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD0457D second address: 000000006CD0457F instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCFE1D1 second address: 000000006CCFE3D9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 xchg word ptr [esp], ax 0x00000007 lea ecx, dword ptr [ecx+esi] 0x0000000a xchg dword ptr [esp+04h], esi 0x0000000e jmp 00007FE5151CE616h 0x00000010 cmc 0x00000011 neg al 0x00000013 dec cx 0x00000015 lea ecx, dword ptr [00000000h+edi*4] 0x0000001c mov eax, 63E4BEA4h 0x00000021 jmp 00007FE5151CE7F0h 0x00000026 lea esi, dword ptr [esi+2Ah] 0x00000029 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD121EC second address: 000000006CD121EE instructions: 0x00000000 rdtsc 0x00000002 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CCEA7C8 second address: 000000006CCEA807 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5151CE5ECh 0x00000004 sub esp, 000000A0h 0x0000000a call 00007FE5151CE665h 0x0000000f setno bl 0x00000012 mov al, byte ptr [esp] 0x00000015 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD039C4 second address: 000000006CD039F9 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp+02h] 0x00000006 jmp 00007FE5150D13D5h 0x00000008 lea ebp, dword ptr [ebp-00000520h] 0x0000000e xchg eax, edx 0x0000000f lea eax, dword ptr [00000000h+ecx*4] 0x00000016 jmp 00007FE5150D143Ch 0x00000018 mov dx, bp 0x0000001b lea eax, dword ptr [edi+ebp] 0x0000001e not eax 0x00000020 xchg dword ptr [esp+3Ch], ebp 0x00000024 bsf dx, di 0x00000028 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A396 second address: 000000006CD3A359 instructions: 0x00000000 rdtsc 0x00000002 bswap ecx 0x00000004 mov dh, byte ptr [esp] 0x00000007 jmp 00007FE5151CE4E8h 0x0000000c add esi, 02h 0x0000000f btr cx, ax 0x00000013 jno 00007FE5151CE6EDh 0x00000019 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A359 second address: 000000006CD3A2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D1351h 0x00000007 not cl 0x00000009 call 00007FE5150D144Dh 0x0000000e lea edx, dword ptr [00000000h+esi*4] 0x00000015 mov cx, E8B9h 0x00000019 rcl dx, cl 0x0000001c btc cx, ax 0x00000020 xchg al, cl 0x00000022 jmp 00007FE5150D13C9h 0x00000024 xchg dword ptr [esp], edi 0x00000027 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A2DB second address: 000000006CD3A2D0 instructions: 0x00000000 rdtsc 0x00000002 btc eax, ebx 0x00000005 mov eax, edx 0x00000007 xchg ch, ah 0x00000009 lea edi, dword ptr [edi-0004D459h] 0x0000000f jmp 00007FE5151CE5E8h 0x00000011 mov eax, edi 0x00000013 mov dx, EA8Dh 0x00000017 lea ecx, dword ptr [ebx+52h] 0x0000001a xchg dword ptr [esp], edi 0x0000001d bswap edx 0x0000001f rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A2D0 second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D1455h 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a movzx ecx, byte ptr [ebp+00h] 0x0000000e jmp 00007FE5150D13DFh 0x00000010 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD2288F second address: 000000006CD2288F instructions: 0x00000000 rdtsc 0x00000002 mov di, word ptr [esp] 0x00000006 mov dword ptr [esp+1Ch], ebp 0x0000000a popad 0x0000000b jmp 00007FE5151CE62Eh 0x0000000d lea eax, dword ptr [eax+74h] 0x00000010 mov ecx, dword ptr [eax] 0x00000012 pop eax 0x00000013 jmp 00007FE5151CE632h 0x00000015 dec dword ptr [ebp+74h] 0x00000018 sub esp, 16h 0x0000001b lea esp, dword ptr [esp+02h] 0x0000001f jmp 00007FE5151CE644h 0x00000021 lea esp, dword ptr [esp+14h] 0x00000025 test ecx, ecx 0x00000027 jne 00007FE5151CE56Eh 0x0000002d mov byte ptr [eax], 00000000h 0x00000030 jmp 00007FE5151CE616h 0x00000032 inc eax 0x00000033 jmp 00007FE5151CE5E0h 0x00000035 push eax 0x00000036 jmp 00007FE5151CE641h 0x00000038 pushad 0x00000039 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD49DB9 second address: 000000006CD49ED1 instructions: 0x00000000 rdtsc 0x00000002 setnle cl 0x00000005 setb cl 0x00000008 jmp 00007FE5150D1451h 0x0000000a sub edi, 08h 0x0000000d xchg ch, cl 0x0000000f bsr ecx, ebx 0x00000012 je 00007FE5150D13E2h 0x00000014 jne 00007FE5150D1BF3h 0x0000001a neg ch 0x0000001c jmp 00007FE5150D12DFh 0x00000021 pushad 0x00000022 xchg eax, esi 0x00000023 sub esp, 0Fh 0x00000026 jbe 00007FE5150D1381h 0x0000002c xchg word ptr [esp+06h], ax 0x00000031 mov dx, 2507h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 mov dword ptr [esp+24h], edi 0x0000003d lea esp, dword ptr [esp+0Ch] 0x00000041 jmp 00007FE5150D0E0Fh 0x00000046 popad 0x00000047 mov dword ptr [ecx], edx 0x00000049 jmp 00007FE5150D1335h 0x0000004e rcr ch, cl 0x00000050 jbe 00007FE5150D13E8h 0x00000052 setno ch 0x00000055 jmp 00007FE5150D1440h 0x00000057 mov edx, edi 0x00000059 add edx, 04h 0x0000005c jnl 00007FE5150D13D3h 0x0000005e jmp 00007FE5150D13EAh 0x00000060 mov dword ptr [edx], eax 0x00000062 bsf eax, ebp 0x00000065 call 00007FE5150D1413h 0x0000006a pop word ptr [esp] 0x0000006e lea esp, dword ptr [esp+02h] 0x00000072 call 00007FE5150D1406h 0x00000077 jmp 00007FE5150D143Ch 0x00000079 shl eax, 03h 0x0000007c lea edx, dword ptr [00000000h+ebp*4] 0x00000083 inc cx 0x00000085 lea ecx, dword ptr [eax+edi] 0x00000088 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD49ED1 second address: 000000006CD49EEE instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebx 0x00000005 jmp 00007FE5151CE5C2h 0x00000007 not ah 0x00000009 mov eax, DB0AC25Ah 0x0000000e mov edx, F128A53Ch 0x00000013 pushfd 0x00000014 jmp 00007FE5151CE627h 0x00000016 lea ebx, dword ptr [ebx-00044E40h] 0x0000001c mov dx, word ptr [esp] 0x00000020 mov dh, cl 0x00000022 neg dx 0x00000025 jmp 00007FE5151CE643h 0x00000027 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD49EEE second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 btc eax, esp 0x00000005 xchg dword ptr [esp+04h], ebx 0x00000009 mov cx, 5D6Fh 0x0000000d xchg cx, ax 0x00000010 sub esp, 1Eh 0x00000013 jmp 00007FE5150D13D7h 0x00000015 mov dl, bl 0x00000017 not cx 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e push dword ptr [esp+20h] 0x00000022 retn 0024h 0x00000025 jmp 00007FE5150D1448h 0x00000027 stc 0x00000028 jnle 00007FE5150D13B9h 0x0000002a bsf cx, di 0x0000002e rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD32D5E second address: 000000006CD32CA4 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 jmp 00007FE5151CE54Eh 0x0000000a lea eax, dword ptr [edi+edi] 0x0000000d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD32CA4 second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE51509FFA3h 0x00000007 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3B6DE second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 mov word ptr [edi], cx 0x00000005 bswap eax 0x00000007 setb al 0x0000000a inc cx 0x0000000c jmp 00007FE5151CE641h 0x0000000e jne 00007FE5151CE5E5h 0x00000010 jmp 00007FE515197F65h 0x00000015 jmp 00007FE5151CE658h 0x00000017 stc 0x00000018 jnle 00007FE5151CE5C9h 0x0000001a bsf cx, di 0x0000001e rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD034C3 second address: 000000006CD0353D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D1438h 0x00000004 push ebp 0x00000005 call 00007FE5150D13E3h 0x0000000a push esp 0x0000000b mov esi, dword ptr [esp+03h] 0x0000000f bswap eax 0x00000011 mov byte ptr [esp+01h], cl 0x00000015 mov word ptr [esp+01h], sp 0x0000001a jmp 00007FE5150D1429h 0x0000001c xchg dword ptr [esp+04h], ebp 0x00000020 pushad 0x00000021 inc cx 0x00000023 bsf di, bx 0x00000027 pop esi 0x00000028 clc 0x00000029 jmp 00007FE5150D13DDh 0x0000002b lea ebp, dword ptr [ebp-0000003Ch] 0x00000031 mov cl, dl 0x00000033 bsr edi, ecx 0x00000036 cmc 0x00000037 cmc 0x00000038 jmp 00007FE5150D144Dh 0x0000003a xchg dword ptr [esp+20h], ebp 0x0000003e inc cl 0x00000040 cmc 0x00000041 setne dh 0x00000044 lea edi, dword ptr [ecx+ebp] 0x00000047 push dword ptr [esp+20h] 0x0000004b retn 0024h 0x0000004e bswap edx 0x00000050 jmp 00007FE5150D1474h 0x00000052 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3EFCD second address: 000000006CCFEEEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE5151CE5F7h 0x00000008 sub esi, 08h 0x0000000b pushfd 0x0000000c jmp 00007FE5151CE657h 0x0000000e lea esp, dword ptr [esp+02h] 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 xchg edx, ecx 0x00000018 call 00007FE5151CE5F0h 0x0000001d add esp, 01h 0x00000020 jnle 00007FE5151CE648h 0x00000022 jmp 00007FE5151CE5FAh 0x00000024 lea esp, dword ptr [esp+03h] 0x00000028 jmp 00007FE5151CE624h 0x0000002a mov dword ptr [esi], ecx 0x0000002c mov ecx, edx 0x0000002e mov cx, word ptr [esp] 0x00000032 bsf ecx, ebx 0x00000035 jmp 00007FE5151CE65Fh 0x00000037 jnle 00007FE5151CE5C7h 0x00000039 mov cx, 166Ah 0x0000003d jmp 00007FE5151CE631h 0x0000003f mov dword ptr [esi+04h], eax 0x00000042 push dx 0x00000044 add esp, 01h 0x00000047 jmp 00007FE5151CE64Ah 0x00000049 jnle 00007FE5151CE5DCh 0x0000004b xchg byte ptr [esp], ah 0x0000004e lea esp, dword ptr [esp+01h] 0x00000052 jmp 00007FE51518E483h 0x00000057 mov cl, byte ptr [esp] 0x0000005a rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD34C1C second address: 000000006CD34C48 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 02h 0x00000005 neg cx 0x00000008 js 00007FE5150D141Ch 0x0000000a add edx, 213E919Dh 0x00000010 mov edx, eax 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4FABF second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 03h 0x00000005 jl 00007FE5151CE647h 0x00000007 mov word ptr [esp], sp 0x0000000b push word ptr [esp+02h] 0x00000010 sub esp, 16h 0x00000013 lea esp, dword ptr [esp+03h] 0x00000017 jmp 00007FE5151CE7CAh 0x0000001c sub esi, 08h 0x0000001f pushad 0x00000020 cmc 0x00000021 jl 00007FE5151CE512h 0x00000027 jnl 00007FE5151CE50Ch 0x0000002d call 00007FE5151CE5F1h 0x00000032 pop dword ptr [esp+10h] 0x00000036 jmp 00007FE5151CE5F6h 0x00000038 xchg edx, ecx 0x0000003a clc 0x0000003b jnp 00007FE5151CE629h 0x0000003d jp 00007FE5151CE627h 0x0000003f mov dword ptr [esi], ecx 0x00000041 jmp 00007FE5151CE663h 0x00000043 mov ch, 19h 0x00000045 mov cx, 60D1h 0x00000049 lea ecx, dword ptr [00000000h+ebx*4] 0x00000050 bsr ecx, edi 0x00000053 jle 00007FE5151CE5DFh 0x00000055 jnle 00007FE5151CE5DDh 0x00000057 jmp 00007FE5151CE5FAh 0x00000059 mov ecx, esi 0x0000005b jmp 00007FE5151CE626h 0x0000005d add ecx, 04h 0x00000060 jmp 00007FE5151CE65Fh 0x00000062 jne 00007FE5151CE5C7h 0x00000064 mov dword ptr [ecx], eax 0x00000066 bswap eax 0x00000068 mov ecx, esi 0x0000006a jmp 00007FE515180296h 0x0000006f rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD2288F second address: 000000006CD2288F instructions: 0x00000000 rdtsc 0x00000002 mov di, word ptr [esp] 0x00000006 mov dword ptr [esp+1Ch], ebp 0x0000000a popad 0x0000000b jmp 00007FE5150D141Eh 0x0000000d lea eax, dword ptr [eax+74h] 0x00000010 mov ecx, dword ptr [eax] 0x00000012 pop eax 0x00000013 jmp 00007FE5150D1422h 0x00000015 dec dword ptr [ebp+74h] 0x00000018 sub esp, 16h 0x0000001b lea esp, dword ptr [esp+02h] 0x0000001f jmp 00007FE5150D1434h 0x00000021 lea esp, dword ptr [esp+14h] 0x00000025 test ecx, ecx 0x00000027 jne 00007FE5150D135Eh 0x0000002d mov byte ptr [eax], 00000000h 0x00000030 jmp 00007FE5150D1406h 0x00000032 inc eax 0x00000033 jmp 00007FE5150D13D0h 0x00000035 push eax 0x00000036 jmp 00007FE5150D1431h 0x00000038 pushad 0x00000039 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD49DB9 second address: 000000006CD49ED1 instructions: 0x00000000 rdtsc 0x00000002 setnle cl 0x00000005 setb cl 0x00000008 jmp 00007FE5151CE661h 0x0000000a sub edi, 08h 0x0000000d xchg ch, cl 0x0000000f bsr ecx, ebx 0x00000012 je 00007FE5151CE5F2h 0x00000014 jne 00007FE5151CEE03h 0x0000001a neg ch 0x0000001c jmp 00007FE5151CE4EFh 0x00000021 pushad 0x00000022 xchg eax, esi 0x00000023 sub esp, 0Fh 0x00000026 jbe 00007FE5151CE591h 0x0000002c xchg word ptr [esp+06h], ax 0x00000031 mov dx, 2507h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 mov dword ptr [esp+24h], edi 0x0000003d lea esp, dword ptr [esp+0Ch] 0x00000041 jmp 00007FE5151CE01Fh 0x00000046 popad 0x00000047 mov dword ptr [ecx], edx 0x00000049 jmp 00007FE5151CE545h 0x0000004e rcr ch, cl 0x00000050 jbe 00007FE5151CE5F8h 0x00000052 setno ch 0x00000055 jmp 00007FE5151CE66Ah 0x00000057 mov edx, edi 0x00000059 add edx, 04h 0x0000005c jnl 00007FE5151CE5E3h 0x0000005e jmp 00007FE5151CE5FAh 0x00000060 mov dword ptr [edx], eax 0x00000062 bsf eax, ebp 0x00000065 call 00007FE5151CE623h 0x0000006a pop word ptr [esp] 0x0000006e lea esp, dword ptr [esp+02h] 0x00000072 call 00007FE5151CE616h 0x00000077 jmp 00007FE5151CE64Ch 0x00000079 shl eax, 03h 0x0000007c lea edx, dword ptr [00000000h+ebp*4] 0x00000083 inc cx 0x00000085 lea ecx, dword ptr [eax+edi] 0x00000088 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD49ED1 second address: 000000006CD49EEE instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebx 0x00000005 jmp 00007FE5150D13B2h 0x00000007 not ah 0x00000009 mov eax, DB0AC25Ah 0x0000000e mov edx, F128A53Ch 0x00000013 pushfd 0x00000014 jmp 00007FE5150D1417h 0x00000016 lea ebx, dword ptr [ebx-00044E40h] 0x0000001c mov dx, word ptr [esp] 0x00000020 mov dh, cl 0x00000022 neg dx 0x00000025 jmp 00007FE5150D1433h 0x00000027 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD49EEE second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 btc eax, esp 0x00000005 xchg dword ptr [esp+04h], ebx 0x00000009 mov cx, 5D6Fh 0x0000000d xchg cx, ax 0x00000010 sub esp, 1Eh 0x00000013 jmp 00007FE5151CE5E7h 0x00000015 mov dl, bl 0x00000017 not cx 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e push dword ptr [esp+20h] 0x00000022 retn 0024h 0x00000025 jmp 00007FE5151CE658h 0x00000027 stc 0x00000028 jnle 00007FE5151CE5C9h 0x0000002a bsf cx, di 0x0000002e rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD32D5E second address: 000000006CD32CA4 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 jmp 00007FE5150D133Eh 0x0000000a lea eax, dword ptr [edi+edi] 0x0000000d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD32CA4 second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE51519D1B3h 0x00000007 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3B6DE second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 mov word ptr [edi], cx 0x00000005 bswap eax 0x00000007 setb al 0x0000000a inc cx 0x0000000c jmp 00007FE5150D1431h 0x0000000e jne 00007FE5150D13D5h 0x00000010 jmp 00007FE51509AD55h 0x00000015 jmp 00007FE5150D1448h 0x00000017 stc 0x00000018 jnle 00007FE5150D13B9h 0x0000001a bsf cx, di 0x0000001e rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD034C3 second address: 000000006CD0353D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5151CE648h 0x00000004 push ebp 0x00000005 call 00007FE5151CE5F3h 0x0000000a push esp 0x0000000b mov esi, dword ptr [esp+03h] 0x0000000f bswap eax 0x00000011 mov byte ptr [esp+01h], cl 0x00000015 mov word ptr [esp+01h], sp 0x0000001a jmp 00007FE5151CE639h 0x0000001c xchg dword ptr [esp+04h], ebp 0x00000020 pushad 0x00000021 inc cx 0x00000023 bsf di, bx 0x00000027 pop esi 0x00000028 clc 0x00000029 jmp 00007FE5151CE5EDh 0x0000002b lea ebp, dword ptr [ebp-0000003Ch] 0x00000031 mov cl, dl 0x00000033 bsr edi, ecx 0x00000036 cmc 0x00000037 cmc 0x00000038 jmp 00007FE5151CE65Dh 0x0000003a xchg dword ptr [esp+20h], ebp 0x0000003e inc cl 0x00000040 cmc 0x00000041 setne dh 0x00000044 lea edi, dword ptr [ecx+ebp] 0x00000047 push dword ptr [esp+20h] 0x0000004b retn 0024h 0x0000004e bswap edx 0x00000050 jmp 00007FE5151CE684h 0x00000052 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3EFCD second address: 000000006CCFEEEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE5150D13E7h 0x00000008 sub esi, 08h 0x0000000b pushfd 0x0000000c jmp 00007FE5150D1447h 0x0000000e lea esp, dword ptr [esp+02h] 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 xchg edx, ecx 0x00000018 call 00007FE5150D13E0h 0x0000001d add esp, 01h 0x00000020 jnle 00007FE5150D1438h 0x00000022 jmp 00007FE5150D13EAh 0x00000024 lea esp, dword ptr [esp+03h] 0x00000028 jmp 00007FE5150D1414h 0x0000002a mov dword ptr [esi], ecx 0x0000002c mov ecx, edx 0x0000002e mov cx, word ptr [esp] 0x00000032 bsf ecx, ebx 0x00000035 jmp 00007FE5150D144Fh 0x00000037 jnle 00007FE5150D13B7h 0x00000039 mov cx, 166Ah 0x0000003d jmp 00007FE5150D1421h 0x0000003f mov dword ptr [esi+04h], eax 0x00000042 push dx 0x00000044 add esp, 01h 0x00000047 jmp 00007FE5150D143Ah 0x00000049 jnle 00007FE5150D13CCh 0x0000004b xchg byte ptr [esp], ah 0x0000004e lea esp, dword ptr [esp+01h] 0x00000052 jmp 00007FE515091273h 0x00000057 mov cl, byte ptr [esp] 0x0000005a rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD34C1C second address: 000000006CD34C48 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 02h 0x00000005 neg cx 0x00000008 js 00007FE5151CE62Ch 0x0000000a add edx, 213E919Dh 0x00000010 mov edx, eax 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4FABF second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 03h 0x00000005 jl 00007FE5150D1437h 0x00000007 mov word ptr [esp], sp 0x0000000b push word ptr [esp+02h] 0x00000010 sub esp, 16h 0x00000013 lea esp, dword ptr [esp+03h] 0x00000017 jmp 00007FE5150D15BAh 0x0000001c sub esi, 08h 0x0000001f pushad 0x00000020 cmc 0x00000021 jl 00007FE5150D1302h 0x00000027 jnl 00007FE5150D12FCh 0x0000002d call 00007FE5150D13E1h 0x00000032 pop dword ptr [esp+10h] 0x00000036 jmp 00007FE5150D13E6h 0x00000038 xchg edx, ecx 0x0000003a clc 0x0000003b jnp 00007FE5150D1419h 0x0000003d mov dword ptr [esi], ecx 0x0000003f jmp 00007FE5150D1453h 0x00000041 mov ch, 19h 0x00000043 mov cx, 60D1h 0x00000047 lea ecx, dword ptr [00000000h+ebx*4] 0x0000004e bsr ecx, edi 0x00000051 jle 00007FE5150D13CFh 0x00000053 jnle 00007FE5150D13CDh 0x00000055 jmp 00007FE5150D13EAh 0x00000057 mov ecx, esi 0x00000059 jmp 00007FE5150D1416h 0x0000005b add ecx, 04h 0x0000005e jmp 00007FE5150D144Fh 0x00000060 jne 00007FE5150D13B7h 0x00000062 mov dword ptr [ecx], eax 0x00000064 bswap eax 0x00000066 mov ecx, esi 0x00000068 jmp 00007FE515083086h 0x0000006d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD12145 second address: 000000006CD12238 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 jmp 00007FE5151CE645h 0x00000006 xchg dword ptr [esp], ecx 0x00000009 mov al, 6Ah 0x0000000b ror ax, cl 0x0000000e setb dh 0x00000011 bsf eax, eax 0x00000014 lea edx, dword ptr [ecx-1DD4EFFBh] 0x0000001a jmp 00007FE5151CE5E6h 0x0000001c lea ecx, dword ptr [ecx-00000024h] 0x00000022 not edx 0x00000024 push edi 0x00000025 mov dx, word ptr [esp+03h] 0x0000002a jmp 00007FE5151CE662h 0x0000002c xchg dword ptr [esp+04h], ecx 0x00000030 bswap edx 0x00000032 lea eax, dword ptr [00000000h+ecx4] 0x00000039 mov ah, EDh 0x0000003b push dword ptr [esp+04h] 0x0000003f retn 0008h 0x00000042 stc 0x00000043 jbe 00007FE5151CE69Ch 0x00000049 call 00007FE5151CE833h 0x0000004e xchg edx, eax 0x00000050 mov eax, edi 0x00000052 mov dx, bp 0x00000055 push edi 0x00000056 xchg dword ptr [esp+04h], ecx 0x0000005a jmp 00007FE5151CE47Dh 0x0000005f mov ah, 99h 0x00000061 sub esp, 01h 0x00000064 neg dx 0x00000067 mov byte ptr [esp], dh 0x0000006a cmc 0x0000006b lea esp, dword ptr [esp+01h] 0x0000006f jmp 00007FE5151CE5E2h 0x00000071 lea ecx, dword ptr [ecx+34h] 0x00000074 call 00007FE5151CE5F7h 0x00000079 mov word ptr [esp], ax 0x0000007d lea edx, dword ptr [edi+2Dh] 0x00000080 lea eax, dword ptr [00000000h+edx4] 0x00000087 jmp 00007FE5151CE620h 0x00000089 xchg dword ptr [esp+08h], ecx 0x0000008d mov al, bl 0x0000008f sub esp, 0Ah 0x00000092 mov dword ptr [esp+04h], esi 0x00000096 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD12145 second address: 000000006CD12238 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 jmp 00007FE5150D1435h 0x00000006 xchg dword ptr [esp], ecx 0x00000009 mov al, 6Ah 0x0000000b ror ax, cl 0x0000000e setb dh 0x00000011 bsf eax, eax 0x00000014 lea edx, dword ptr [ecx-1DD4EFFBh] 0x0000001a jmp 00007FE5150D13D6h 0x0000001c lea ecx, dword ptr [ecx-00000024h] 0x00000022 not edx 0x00000024 push edi 0x00000025 mov dx, word ptr [esp+03h] 0x0000002a jmp 00007FE5150D1452h 0x0000002c xchg dword ptr [esp+04h], ecx 0x00000030 bswap edx 0x00000032 lea eax, dword ptr [00000000h+ecx4] 0x00000039 mov ah, EDh 0x0000003b push dword ptr [esp+04h] 0x0000003f retn 0008h 0x00000042 stc 0x00000043 jbe 00007FE5150D148Ch 0x00000049 call 00007FE5150D1623h 0x0000004e xchg edx, eax 0x00000050 mov eax, edi 0x00000052 mov dx, bp 0x00000055 push edi 0x00000056 xchg dword ptr [esp+04h], ecx 0x0000005a jmp 00007FE5150D126Dh 0x0000005f mov ah, 99h 0x00000061 sub esp, 01h 0x00000064 neg dx 0x00000067 mov byte ptr [esp], dh 0x0000006a cmc 0x0000006b lea esp, dword ptr [esp+01h] 0x0000006f jmp 00007FE5150D13D2h 0x00000071 lea ecx, dword ptr [ecx+34h] 0x00000074 call 00007FE5150D13E7h 0x00000079 mov word ptr [esp], ax 0x0000007d lea edx, dword ptr [edi+2Dh] 0x00000080 lea eax, dword ptr [00000000h+edx4] 0x00000087 jmp 00007FE5150D1410h 0x00000089 xchg dword ptr [esp+08h], ecx 0x0000008d mov al, bl 0x0000008f sub esp, 0Ah 0x00000092 mov dword ptr [esp+04h], esi 0x00000096 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD39B34 second address: 000000006CD39BA7 instructions: 0x00000000 rdtsc 0x00000002 ror eax, 0Bh 0x00000005 je 00007FE5151CE5D0h 0x00000007 bswap eax 0x00000009 mov ah, byte ptr [esp] 0x0000000c mov dx, bp 0x0000000f call 00007FE5151CE616h 0x00000014 mov edx, ebp 0x00000016 mov dh, ch 0x00000018 lea eax, dword ptr [ebp+ebp+00h] 0x0000001c sub esp, 19h 0x0000001f lea esp, dword ptr [esp+01h] 0x00000023 jmp 00007FE5151CE655h 0x00000025 xchg dword ptr [esp+18h], esi 0x00000029 xchg edx, eax 0x0000002b mov dx, C92Fh 0x0000002f rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4CF3F second address: 000000006CD4CEDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D1FA9h 0x00000007 mov dx, word ptr [esp] 0x0000000b push dword ptr [esp+04h] 0x0000000f retn 0008h 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 mov ecx, dword ptr [ebp+00h] 0x00000019 mov dx, 4C2Eh 0x0000001d jmp 00007FE5150D1407h 0x0000001f mov dh, byte ptr [esp] 0x00000022 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD49DB9 second address: 000000006CD49ED1 instructions: 0x00000000 rdtsc 0x00000002 setnle cl 0x00000005 setb cl 0x00000008 jmp 00007FE5150D1451h 0x0000000a sub edi, 08h 0x0000000d xchg ch, cl 0x0000000f bsr ecx, ebx 0x00000012 je 00007FE5150D13E2h 0x00000014 jne 00007FE5150D1BF3h 0x0000001a neg ch 0x0000001c jmp 00007FE5150D12DFh 0x00000021 pushad 0x00000022 xchg eax, esi 0x00000023 sub esp, 0Fh 0x00000026 jbe 00007FE5150D1381h 0x0000002c xchg word ptr [esp+06h], ax 0x00000031 mov dx, 2507h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 mov dword ptr [esp+24h], edi 0x0000003d lea esp, dword ptr [esp+0Ch] 0x00000041 jmp 00007FE5150D0E0Fh 0x00000046 popad 0x00000047 mov dword ptr [ecx], edx 0x00000049 jmp 00007FE5150D1335h 0x0000004e rcr ch, cl 0x00000050 jbe 00007FE5150D13E8h 0x00000052 setno ch 0x00000055 jmp 00007FE5150D145Ah 0x00000057 mov edx, edi 0x00000059 add edx, 04h 0x0000005c jnl 00007FE5150D13D3h 0x0000005e jmp 00007FE5150D13EAh 0x00000060 mov dword ptr [edx], eax 0x00000062 bsf eax, ebp 0x00000065 call 00007FE5150D1413h 0x0000006a pop word ptr [esp] 0x0000006e lea esp, dword ptr [esp+02h] 0x00000072 call 00007FE5150D1406h 0x00000077 jmp 00007FE5150D143Ch 0x00000079 shl eax, 03h 0x0000007c lea edx, dword ptr [00000000h+ebp*4] 0x00000083 inc cx 0x00000085 lea ecx, dword ptr [eax+edi] 0x00000088 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4FABF second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 03h 0x00000005 jl 00007FE5151CE647h 0x00000007 mov word ptr [esp], sp 0x0000000b push word ptr [esp+02h] 0x00000010 sub esp, 16h 0x00000013 lea esp, dword ptr [esp+03h] 0x00000017 jmp 00007FE5151CE7CAh 0x0000001c sub esi, 08h 0x0000001f pushad 0x00000020 cmc 0x00000021 jl 00007FE5151CE512h 0x00000027 jnl 00007FE5151CE50Ch 0x0000002d call 00007FE5151CE5F1h 0x00000032 pop dword ptr [esp+10h] 0x00000036 jmp 00007FE5151CE5F6h 0x00000038 xchg edx, ecx 0x0000003a clc 0x0000003b jnp 00007FE5151CE629h 0x0000003d mov dword ptr [esi], ecx 0x0000003f jmp 00007FE5151CE663h 0x00000041 mov ch, 19h 0x00000043 mov cx, 60D1h 0x00000047 lea ecx, dword ptr [00000000h+ebx*4] 0x0000004e bsr ecx, edi 0x00000051 jle 00007FE5151CE5DFh 0x00000053 jnle 00007FE5151CE5DDh 0x00000055 jmp 00007FE5151CE5FAh 0x00000057 mov ecx, esi 0x00000059 jmp 00007FE5151CE626h 0x0000005b add ecx, 04h 0x0000005e jmp 00007FE5151CE65Fh 0x00000060 jne 00007FE5151CE5C7h 0x00000062 mov dword ptr [ecx], eax 0x00000064 bswap eax 0x00000066 mov ecx, esi 0x00000068 jmp 00007FE515180296h 0x0000006d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD39B34 second address: 000000006CD39BA7 instructions: 0x00000000 rdtsc 0x00000002 ror eax, 0Bh 0x00000005 je 00007FE5150D13C0h 0x00000007 bswap eax 0x00000009 mov ah, byte ptr [esp] 0x0000000c mov dx, bp 0x0000000f call 00007FE5150D1406h 0x00000014 mov edx, ebp 0x00000016 mov dh, ch 0x00000018 lea eax, dword ptr [ebp+ebp+00h] 0x0000001c sub esp, 19h 0x0000001f lea esp, dword ptr [esp+01h] 0x00000023 jmp 00007FE5150D1445h 0x00000025 xchg dword ptr [esp+18h], esi 0x00000029 xchg edx, eax 0x0000002b mov dx, C92Fh 0x0000002f rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4CF3F second address: 000000006CD4CEDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5151CF1B9h 0x00000007 mov dx, word ptr [esp] 0x0000000b push dword ptr [esp+04h] 0x0000000f retn 0008h 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 mov ecx, dword ptr [ebp+00h] 0x00000019 mov dx, 4C2Eh 0x0000001d jmp 00007FE5151CE617h 0x0000001f mov dh, byte ptr [esp] 0x00000022 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD2288F second address: 000000006CD2288F instructions: 0x00000000 rdtsc 0x00000002 mov di, word ptr [esp] 0x00000006 mov dword ptr [esp+1Ch], ebp 0x0000000a popad 0x0000000b jmp 00007FE5150D141Eh 0x0000000d lea eax, dword ptr [eax+74h] 0x00000010 mov ecx, dword ptr [eax] 0x00000012 pop eax 0x00000013 jmp 00007FE5150D1422h 0x00000015 dec dword ptr [ebp+74h] 0x00000018 sub esp, 16h 0x0000001b lea esp, dword ptr [esp+02h] 0x0000001f jmp 00007FE5150D1434h 0x00000021 lea esp, dword ptr [esp+14h] 0x00000025 test ecx, ecx 0x00000027 jne 00007FE5150D135Eh 0x0000002d mov byte ptr [eax], 00000000h 0x00000030 jmp 00007FE5150D1406h 0x00000032 inc eax 0x00000033 jmp 00007FE5150D13D0h 0x00000035 push eax 0x00000036 jmp 00007FE5150D1431h 0x00000038 pushad 0x00000039 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD49DB9 second address: 000000006CD49ED1 instructions: 0x00000000 rdtsc 0x00000002 setnle cl 0x00000005 setb cl 0x00000008 jmp 00007FE5151CE661h 0x0000000a sub edi, 08h 0x0000000d xchg ch, cl 0x0000000f bsr ecx, ebx 0x00000012 je 00007FE5151CE5F2h 0x00000014 jne 00007FE5151CEE03h 0x0000001a neg ch 0x0000001c jmp 00007FE5151CE4EFh 0x00000021 pushad 0x00000022 xchg eax, esi 0x00000023 sub esp, 0Fh 0x00000026 jbe 00007FE5151CE591h 0x0000002c xchg word ptr [esp+06h], ax 0x00000031 mov dx, 2507h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 mov dword ptr [esp+24h], edi 0x0000003d lea esp, dword ptr [esp+0Ch] 0x00000041 jmp 00007FE5151CE01Fh 0x00000046 popad 0x00000047 mov dword ptr [ecx], edx 0x00000049 jmp 00007FE5151CE545h 0x0000004e rcr ch, cl 0x00000050 jbe 00007FE5151CE5F8h 0x00000052 setno ch 0x00000055 jmp 00007FE5151CE66Ah 0x00000057 mov edx, edi 0x00000059 add edx, 04h 0x0000005c jnl 00007FE5151CE5E3h 0x0000005e jmp 00007FE5151CE5FAh 0x00000060 mov dword ptr [edx], eax 0x00000062 bsf eax, ebp 0x00000065 call 00007FE5151CE623h 0x0000006a pop word ptr [esp] 0x0000006e lea esp, dword ptr [esp+02h] 0x00000072 call 00007FE5151CE616h 0x00000077 jmp 00007FE5151CE64Ch 0x00000079 shl eax, 03h 0x0000007c lea edx, dword ptr [00000000h+ebp*4] 0x00000083 inc cx 0x00000085 lea ecx, dword ptr [eax+edi] 0x00000088 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD49ED1 second address: 000000006CD49EEE instructions: 0x00000000 rdtsc 0x00000002 xchg dword ptr [esp], ebx 0x00000005 jmp 00007FE5150D13B2h 0x00000007 not ah 0x00000009 mov eax, DB0AC25Ah 0x0000000e mov edx, F128A53Ch 0x00000013 pushfd 0x00000014 jmp 00007FE5150D1417h 0x00000016 lea ebx, dword ptr [ebx-00044E40h] 0x0000001c mov dx, word ptr [esp] 0x00000020 mov dh, cl 0x00000022 neg dx 0x00000025 jmp 00007FE5150D1433h 0x00000027 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD49EEE second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 btc eax, esp 0x00000005 xchg dword ptr [esp+04h], ebx 0x00000009 mov cx, 5D6Fh 0x0000000d xchg cx, ax 0x00000010 sub esp, 1Eh 0x00000013 jmp 00007FE5151CE5E7h 0x00000015 mov dl, bl 0x00000017 not cx 0x0000001a lea esp, dword ptr [esp+02h] 0x0000001e push dword ptr [esp+20h] 0x00000022 retn 0024h 0x00000025 jmp 00007FE5151CE658h 0x00000027 stc 0x00000028 jnle 00007FE5151CE5C9h 0x0000002a bsf cx, di 0x0000002e rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD32D5E second address: 000000006CD32CA4 instructions: 0x00000000 rdtsc 0x00000002 mov ax, sp 0x00000005 jmp 00007FE5151CE54Eh 0x0000000a lea eax, dword ptr [edi+edi] 0x0000000d rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD32CA4 second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE51509FFA3h 0x00000007 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD3B6DE second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 mov word ptr [edi], cx 0x00000005 bswap eax 0x00000007 setb al 0x0000000a inc cx 0x0000000c jmp 00007FE5151CE641h 0x0000000e jne 00007FE5151CE5E5h 0x00000010 jmp 00007FE515197F65h 0x00000015 jmp 00007FE5151CE658h 0x00000017 stc 0x00000018 jnle 00007FE5151CE5C9h 0x0000001a bsf cx, di 0x0000001e rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD034C3 second address: 000000006CD0353D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D1438h 0x00000004 push ebp 0x00000005 call 00007FE5150D13E3h 0x0000000a push esp 0x0000000b mov esi, dword ptr [esp+03h] 0x0000000f bswap eax 0x00000011 mov byte ptr [esp+01h], cl 0x00000015 mov word ptr [esp+01h], sp 0x0000001a jmp 00007FE5150D1429h 0x0000001c xchg dword ptr [esp+04h], ebp 0x00000020 pushad 0x00000021 inc cx 0x00000023 bsf di, bx 0x00000027 pop esi 0x00000028 clc 0x00000029 jmp 00007FE5150D13DDh 0x0000002b lea ebp, dword ptr [ebp-0000003Ch] 0x00000031 mov cl, dl 0x00000033 bsr edi, ecx 0x00000036 cmc 0x00000037 cmc 0x00000038 jmp 00007FE5150D144Dh 0x0000003a xchg dword ptr [esp+20h], ebp 0x0000003e inc cl 0x00000040 cmc 0x00000041 setne dh 0x00000044 lea edi, dword ptr [ecx+ebp] 0x00000047 push dword ptr [esp+20h] 0x0000004b retn 0024h 0x0000004e bswap edx 0x00000050 jmp 00007FE5150D1474h 0x00000052 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD3EFCD second address: 000000006CCFEEEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FE5151CE5F7h 0x00000008 sub esi, 08h 0x0000000b pushfd 0x0000000c jmp 00007FE5151CE657h 0x0000000e lea esp, dword ptr [esp+02h] 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 xchg edx, ecx 0x00000018 call 00007FE5151CE5F0h 0x0000001d add esp, 01h 0x00000020 jnle 00007FE5151CE648h 0x00000022 jmp 00007FE5151CE5FAh 0x00000024 lea esp, dword ptr [esp+03h] 0x00000028 jmp 00007FE5151CE624h 0x0000002a mov dword ptr [esi], ecx 0x0000002c mov ecx, edx 0x0000002e mov cx, word ptr [esp] 0x00000032 bsf ecx, ebx 0x00000035 jmp 00007FE5151CE65Fh 0x00000037 jnle 00007FE5151CE5C7h 0x00000039 mov cx, 166Ah 0x0000003d jmp 00007FE5151CE631h 0x0000003f mov dword ptr [esi+04h], eax 0x00000042 push dx 0x00000044 add esp, 01h 0x00000047 jmp 00007FE5151CE64Ah 0x00000049 jnle 00007FE5151CE5DCh 0x0000004b xchg byte ptr [esp], ah 0x0000004e lea esp, dword ptr [esp+01h] 0x00000052 jmp 00007FE51518E483h 0x00000057 mov cl, byte ptr [esp] 0x0000005a rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD34C1C second address: 000000006CD34C48 instructions: 0x00000000 rdtsc 0x00000002 sub ebp, 02h 0x00000005 neg cx 0x00000008 js 00007FE5150D141Ch 0x0000000a add edx, 213E919Dh 0x00000010 mov edx, eax 0x00000012 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD4FABF second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 03h 0x00000005 jl 00007FE5151CE647h 0x00000007 mov word ptr [esp], sp 0x0000000b push word ptr [esp+02h] 0x00000010 sub esp, 16h 0x00000013 lea esp, dword ptr [esp+03h] 0x00000017 jmp 00007FE5151CE7CAh 0x0000001c sub esi, 08h 0x0000001f pushad 0x00000020 cmc 0x00000021 jl 00007FE5151CE512h 0x00000027 jnl 00007FE5151CE50Ch 0x0000002d call 00007FE5151CE5F1h 0x00000032 pop dword ptr [esp+10h] 0x00000036 jmp 00007FE5151CE5F6h 0x00000038 xchg edx, ecx 0x0000003a clc 0x0000003b jnp 00007FE5151CE629h 0x0000003d jp 00007FE5151CE627h 0x0000003f mov dword ptr [esi], ecx 0x00000041 jmp 00007FE5151CE663h 0x00000043 mov ch, 19h 0x00000045 mov cx, 60D1h 0x00000049 lea ecx, dword ptr [00000000h+ebx*4] 0x00000050 bsr ecx, edi 0x00000053 jle 00007FE5151CE5DFh 0x00000055 jnle 00007FE5151CE5DDh 0x00000057 jmp 00007FE5151CE5FAh 0x00000059 mov ecx, esi 0x0000005b jmp 00007FE5151CE626h 0x0000005d add ecx, 04h 0x00000060 jmp 00007FE5151CE65Fh 0x00000062 jne 00007FE5151CE5C7h 0x00000064 mov dword ptr [ecx], eax 0x00000066 bswap eax 0x00000068 mov ecx, esi 0x0000006a jmp 00007FE515180296h 0x0000006f rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD12145 second address: 000000006CD12238 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 jmp 00007FE5150D1435h 0x00000006 xchg dword ptr [esp], ecx 0x00000009 mov al, 6Ah 0x0000000b ror ax, cl 0x0000000e setb dh 0x00000011 bsf eax, eax 0x00000014 lea edx, dword ptr [ecx-1DD4EFFBh] 0x0000001a jmp 00007FE5150D13D6h 0x0000001c lea ecx, dword ptr [ecx-00000024h] 0x00000022 not edx 0x00000024 push edi 0x00000025 mov dx, word ptr [esp+03h] 0x0000002a jmp 00007FE5150D1452h 0x0000002c xchg dword ptr [esp+04h], ecx 0x00000030 bswap edx 0x00000032 lea eax, dword ptr [00000000h+ecx4] 0x00000039 mov ah, EDh 0x0000003b push dword ptr [esp+04h] 0x0000003f retn 0008h 0x00000042 stc 0x00000043 jbe 00007FE5150D148Ch 0x00000049 call 00007FE5150D1623h 0x0000004e xchg edx, eax 0x00000050 mov eax, edi 0x00000052 mov dx, bp 0x00000055 push edi 0x00000056 xchg dword ptr [esp+04h], ecx 0x0000005a jmp 00007FE5150D126Dh 0x0000005f mov ah, 99h 0x00000061 sub esp, 01h 0x00000064 neg dx 0x00000067 mov byte ptr [esp], dh 0x0000006a cmc 0x0000006b lea esp, dword ptr [esp+01h] 0x0000006f jmp 00007FE5150D13D2h 0x00000071 lea ecx, dword ptr [ecx+34h] 0x00000074 call 00007FE5150D13E7h 0x00000079 mov word ptr [esp], ax 0x0000007d lea edx, dword ptr [edi+2Dh] 0x00000080 lea eax, dword ptr [00000000h+edx4] 0x00000087 jmp 00007FE5150D1410h 0x00000089 xchg dword ptr [esp+08h], ecx 0x0000008d mov al, bl 0x0000008f sub esp, 0Ah 0x00000092 mov dword ptr [esp+04h], esi 0x00000096 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4AF6D second address: 000000006CD4AF32 instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 jmp 00007FE5151CE5AFh 0x00000006 jc 00007FE5151CE62Fh 0x00000008 mov eax, dword ptr [esp] 0x0000000b rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4AF6D second address: 000000006CD4AF32 instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 jmp 00007FE5150D139Fh 0x00000006 jc 00007FE5150D141Fh 0x00000008 mov eax, dword ptr [esp] 0x0000000b rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD39B34 second address: 000000006CD39BA7 instructions: 0x00000000 rdtsc 0x00000002 ror eax, 0Bh 0x00000005 je 00007FE5151CE5D0h 0x00000007 bswap eax 0x00000009 mov ah, byte ptr [esp] 0x0000000c mov dx, bp 0x0000000f call 00007FE5151CE616h 0x00000014 mov edx, ebp 0x00000016 mov dh, ch 0x00000018 lea eax, dword ptr [ebp+ebp+00h] 0x0000001c sub esp, 19h 0x0000001f lea esp, dword ptr [esp+01h] 0x00000023 jmp 00007FE5151CE655h 0x00000025 xchg dword ptr [esp+18h], esi 0x00000029 xchg edx, eax 0x0000002b mov dx, C92Fh 0x0000002f rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD4CF3F second address: 000000006CD4CEDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5150D1FA9h 0x00000007 mov dx, word ptr [esp] 0x0000000b push dword ptr [esp+04h] 0x0000000f retn 0008h 0x00000012 lea esp, dword ptr [esp+02h] 0x00000016 mov ecx, dword ptr [ebp+00h] 0x00000019 mov dx, 4C2Eh 0x0000001d jmp 00007FE5150D1407h 0x0000001f mov dh, byte ptr [esp] 0x00000022 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4E930 second address: 000000006CD05094 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE5150D1406h 0x00000007 sub edi, 08h 0x0000000a jmp 00007FE5150D1406h 0x0000000c pushad 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 add esp, 16h 0x00000014 jo 00007FE5150D24B5h 0x0000001a pop dword ptr [esp] 0x0000001d jmp 00007FE5150D258Ah 0x00000022 lea esp, dword ptr [esp+01h] 0x00000026 jmp 00007FE5150D1303h 0x0000002b mov dword ptr [edi], edx 0x0000002d mov dx, cx 0x00000030 setp dh 0x00000033 mov edx, ebx 0x00000035 jmp 00007FE5150D142Eh 0x00000037 xchg eax, ecx 0x00000038 mov dx, word ptr [esp] 0x0000003c bt edx, edx 0x0000003f jnl 00007FE5150D13E0h 0x00000041 bt edx, esi 0x00000044 lea edx, dword ptr [00000000h+ebx*4] 0x0000004b jmp 00007FE5150D1438h 0x0000004d mov dword ptr [edi+04h], ecx 0x00000050 bswap ecx 0x00000052 rol cl, 00000006h 0x00000055 jp 00007FE5150D13DAh 0x00000057 jnp 00007FE5150D13DFh 0x00000059 dec ecx 0x0000005a jmp 00007FE515086A16h 0x0000005f jmp 00007FE5150D1448h 0x00000061 stc 0x00000062 jnle 00007FE5150D13B9h 0x00000064 bsf cx, di 0x00000068 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4E930 second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 call 00007FE5151CE616h 0x00000007 sub edi, 08h 0x0000000a jmp 00007FE5151CE616h 0x0000000c pushad 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 add esp, 16h 0x00000014 jo 00007FE5151CF6C5h 0x0000001a pop dword ptr [esp] 0x0000001d jmp 00007FE5151CF79Ah 0x00000022 lea esp, dword ptr [esp+01h] 0x00000026 jmp 00007FE5151CE513h 0x0000002b mov dword ptr [edi], edx 0x0000002d mov dx, cx 0x00000030 setp dh 0x00000033 mov edx, ebx 0x00000035 jmp 00007FE5151CE63Eh 0x00000037 xchg eax, ecx 0x00000038 mov dx, word ptr [esp] 0x0000003c bt edx, edx 0x0000003f jnl 00007FE5151CE5F0h 0x00000041 bt edx, esi 0x00000044 lea edx, dword ptr [00000000h+ebx*4] 0x0000004b jmp 00007FE5151CE648h 0x0000004d mov dword ptr [edi+04h], ecx 0x00000050 bswap ecx 0x00000052 rol cl, 00000006h 0x00000055 jp 00007FE5151CE5EAh 0x00000057 jnp 00007FE5151CE5EFh 0x00000059 dec ecx 0x0000005a jmp 00007FE515183C26h 0x0000005f jmp 00007FE5151CE658h 0x00000061 stc 0x00000062 jnle 00007FE5151CE5C9h 0x00000064 bsf cx, di 0x00000068 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD4AF6D second address: 000000006CD4AF32 instructions: 0x00000000 rdtsc 0x00000002 neg eax 0x00000004 jmp 00007FE5151CE5AFh 0x00000006 jc 00007FE5151CE62Fh 0x00000008 mov eax, dword ptr [esp] 0x0000000b rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4E930 second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 call 00007FE5150D1406h 0x00000007 sub edi, 08h 0x0000000a jmp 00007FE5150D1406h 0x0000000c pushad 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 add esp, 16h 0x00000014 jo 00007FE5150D24B5h 0x0000001a pop dword ptr [esp] 0x0000001d jmp 00007FE5150D258Ah 0x00000022 lea esp, dword ptr [esp+01h] 0x00000026 jmp 00007FE5150D1303h 0x0000002b mov dword ptr [edi], edx 0x0000002d mov dx, cx 0x00000030 setp dh 0x00000033 mov edx, ebx 0x00000035 jmp 00007FE5150D142Eh 0x00000037 xchg eax, ecx 0x00000038 mov dx, word ptr [esp] 0x0000003c bt edx, edx 0x0000003f jnl 00007FE5150D13E0h 0x00000041 bt edx, esi 0x00000044 lea edx, dword ptr [00000000h+ebx*4] 0x0000004b jmp 00007FE5150D1438h 0x0000004d mov dword ptr [edi+04h], ecx 0x00000050 bswap ecx 0x00000052 rol cl, 00000006h 0x00000055 jp 00007FE5150D13DAh 0x00000057 dec ecx 0x00000058 jmp 00007FE515086A1Dh 0x0000005d jmp 00007FE5150D1448h 0x0000005f stc 0x00000060 jnle 00007FE5150D13B9h 0x00000062 bsf cx, di 0x00000066 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3B7D0 second address: 000000006CD3271D instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 js 00007FE5151CE71Fh 0x00000009 cmc 0x0000000a cmc 0x0000000b jmp 00007FE5151CE6C9h 0x00000010 sub ebp, 08h 0x00000013 pushad 0x00000014 pop word ptr [esp+05h] 0x00000019 jmp 00007FE5151CE59Ch 0x0000001b lea esp, dword ptr [esp+02h] 0x0000001f xchg edx, ecx 0x00000021 call 00007FE5151CE5F4h 0x00000026 mov word ptr [esp], si 0x0000002a pop word ptr [esp] 0x0000002e lea esp, dword ptr [esp+02h] 0x00000032 jmp 00007FE5151CE641h 0x00000034 mov dword ptr [ebp+00h], ecx 0x00000037 pushfd 0x00000038 neg cx 0x0000003b jnp 00007FE5151CE5EDh 0x0000003d jp 00007FE5151CE630h 0x0000003f mov cx, word ptr [esp+03h] 0x00000044 lea ecx, dword ptr [edx-000000F7h] 0x0000004a jmp 00007FE5151CE5E7h 0x0000004c mov dword ptr [ebp+04h], eax 0x0000004f mov ax, sp 0x00000052 mov ecx, dword ptr [esp] 0x00000055 jmp 00007FE5151C53DAh 0x0000005a jmp 00007FE5151CE6FEh 0x0000005f xchg eax, ecx 0x00000060 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3B7D0 second address: 000000006CD3271D instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 js 00007FE5150D150Fh 0x00000009 cmc 0x0000000a cmc 0x0000000b jmp 00007FE5150D14B9h 0x00000010 sub ebp, 08h 0x00000013 pushad 0x00000014 pop word ptr [esp+05h] 0x00000019 jmp 00007FE5150D138Ch 0x0000001b lea esp, dword ptr [esp+02h] 0x0000001f xchg edx, ecx 0x00000021 call 00007FE5150D13E4h 0x00000026 mov word ptr [esp], si 0x0000002a pop word ptr [esp] 0x0000002e lea esp, dword ptr [esp+02h] 0x00000032 jmp 00007FE5150D1431h 0x00000034 mov dword ptr [ebp+00h], ecx 0x00000037 pushfd 0x00000038 neg cx 0x0000003b jnp 00007FE5150D13DDh 0x0000003d jp 00007FE5150D1420h 0x0000003f mov cx, word ptr [esp+03h] 0x00000044 lea ecx, dword ptr [edx-000000F7h] 0x0000004a jmp 00007FE5150D13D7h 0x0000004c mov dword ptr [ebp+04h], eax 0x0000004f mov ax, sp 0x00000052 mov ecx, dword ptr [esp] 0x00000055 jmp 00007FE5150C81CAh 0x0000005a jmp 00007FE5150D14EEh 0x0000005f xchg eax, ecx 0x00000060 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD4E930 second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 call 00007FE5151CE616h 0x00000007 sub edi, 08h 0x0000000a jmp 00007FE5151CE616h 0x0000000c pushad 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 add esp, 16h 0x00000014 jo 00007FE5151CF6C5h 0x0000001a pop dword ptr [esp] 0x0000001d jmp 00007FE5151CF79Ah 0x00000022 lea esp, dword ptr [esp+01h] 0x00000026 jmp 00007FE5151CE513h 0x0000002b mov dword ptr [edi], edx 0x0000002d mov dx, cx 0x00000030 setp dh 0x00000033 mov edx, ebx 0x00000035 jmp 00007FE5151CE63Eh 0x00000037 xchg eax, ecx 0x00000038 mov dx, word ptr [esp] 0x0000003c bt edx, edx 0x0000003f jnl 00007FE5151CE5F0h 0x00000041 bt edx, esi 0x00000044 lea edx, dword ptr [00000000h+ebx*4] 0x0000004b jmp 00007FE5151CE648h 0x0000004d mov dword ptr [edi+04h], ecx 0x00000050 bswap ecx 0x00000052 rol cl, 00000006h 0x00000055 jp 00007FE5151CE5EAh 0x00000057 dec ecx 0x00000058 jmp 00007FE515183C2Dh 0x0000005d jmp 00007FE5151CE658h 0x0000005f stc 0x00000060 jnle 00007FE5151CE5C9h 0x00000062 bsf cx, di 0x00000066 rdtsc
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006CD3B7D0 second address: 000000006CD3271D instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 js 00007FE5151CE71Fh 0x00000009 cmc 0x0000000a cmc 0x0000000b jmp 00007FE5151CE6C9h 0x00000010 sub ebp, 08h 0x00000013 pushad 0x00000014 pop word ptr [esp+05h] 0x00000019 jmp 00007FE5151CE59Ch 0x0000001b lea esp, dword ptr [esp+02h] 0x0000001f xchg edx, ecx 0x00000021 call 00007FE5151CE5F4h 0x00000026 mov word ptr [esp], si 0x0000002a pop word ptr [esp] 0x0000002e lea esp, dword ptr [esp+02h] 0x00000032 jmp 00007FE5151CE641h 0x00000034 mov dword ptr [ebp+00h], ecx 0x00000037 pushfd 0x00000038 neg cx 0x0000003b jnp 00007FE5151CE5EDh 0x0000003d jp 00007FE5151CE630h 0x0000003f mov cx, word ptr [esp+03h] 0x00000044 lea ecx, dword ptr [edx-000000F7h] 0x0000004a jmp 00007FE5151CE5E7h 0x0000004c mov dword ptr [ebp+04h], eax 0x0000004f mov ax, sp 0x00000052 mov ecx, dword ptr [esp] 0x00000055 jmp 00007FE5151C53DAh 0x0000005a jmp 00007FE5151CE6FEh 0x0000005f xchg eax, ecx 0x00000060 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCFB85B second address: 000000006CCFB903 instructions: 0x00000000 rdtsc 0x00000002 lea eax, dword ptr [eax+ebx] 0x00000005 jmp 00007FE5150D13DFh 0x00000007 cmp eax, 9DA45E12h 0x0000000c push si 0x0000000e lea esp, dword ptr [esp+02h] 0x00000012 jmp 00007FE5150D142Eh 0x00000014 pop esi 0x00000015 mov al, dl 0x00000017 mov al, dl 0x00000019 clc 0x0000001a jnp 00007FE5150D13E4h 0x0000001c jmp 00007FE5150D1494h 0x00000021 pop ebp 0x00000022 mov ch, 2Fh 0x00000024 mov ax, BE00h 0x00000028 or eax, ebx 0x0000002a jnle 00007FE5150D13C1h 0x0000002c jle 00007FE5150D13A9h 0x0000002e add esp, 04h 0x00000031 jnbe 00007FE5150D142Bh 0x00000033 pushfd 0x00000034 mov cx, word ptr [esp+02h] 0x00000039 jmp 00007FE5150D13E4h 0x0000003b lea edi, dword ptr [ecx+ebx] 0x0000003e mov edi, dword ptr [esp+04h] 0x00000042 mov edx, 6C4C3A78h 0x00000047 push dx 0x00000049 jmp 00007FE5150D1410h 0x0000004b lea esp, dword ptr [esp+02h] 0x0000004f lea esp, dword ptr [esp+08h] 0x00000053 call 00007FE5150D1431h 0x00000058 mov ax, dx 0x0000005b mov cl, B9h 0x0000005d bt dx, bx 0x00000061 xchg dword ptr [esp], ecx 0x00000064 jmp 00007FE5150D13DEh 0x00000066 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECBE2 second address: 000000006CCECCAF instructions: 0x00000000 rdtsc 0x00000002 xchg ecx, edx 0x00000004 mov ax, word ptr [esp] 0x00000008 mov edx, B68AAC39h 0x0000000d lea esi, dword ptr [esi-00000052h] 0x00000013 xchg eax, edx 0x00000014 jmp 00007FE5151CE633h 0x00000016 mov edx, ecx 0x00000018 lea eax, dword ptr [00000000h+edi*4] 0x0000001f mov dx, 208Bh 0x00000023 xchg dword ptr [esp+20h], esi 0x00000027 mov cl, ch 0x00000029 xchg dx, ax 0x0000002c jmp 00007FE5151CE5E3h 0x0000002e xchg dx, ax 0x00000031 mov ecx, dword ptr [esp] 0x00000034 push dword ptr [esp+20h] 0x00000038 retn 0024h 0x0000003b mov eax, 12F33EA2h 0x00000040 xor cl, 00000044h 0x00000043 jnl 00007FE5151CE6F0h 0x00000049 jl 00007FE5151CE6CCh 0x0000004f pushfd 0x00000050 mov dx, cx 0x00000053 mov dh, 56h 0x00000055 jmp 00007FE5151CE681h 0x00000057 lea eax, dword ptr [ebx-03h] 0x0000005a lea ecx, dword ptr [ecx-0F5291AAh] 0x00000060 jmp 00007FE5151CE5BDh 0x00000062 lea esp, dword ptr [esp+04h] 0x00000066 sub ebp, 1284C013h 0x0000006c call 00007FE5151CE62Ch 0x00000071 mov ecx, dword ptr [esp] 0x00000074 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CCECBE2 second address: 000000006CCECCAF instructions: 0x00000000 rdtsc 0x00000002 xchg ecx, edx 0x00000004 mov ax, word ptr [esp] 0x00000008 mov edx, B68AAC39h 0x0000000d lea esi, dword ptr [esi-00000052h] 0x00000013 xchg eax, edx 0x00000014 jmp 00007FE5150D1423h 0x00000016 mov edx, ecx 0x00000018 lea eax, dword ptr [00000000h+edi*4] 0x0000001f mov dx, 208Bh 0x00000023 xchg dword ptr [esp+20h], esi 0x00000027 mov cl, ch 0x00000029 xchg dx, ax 0x0000002c jmp 00007FE5150D13D3h 0x0000002e xchg dx, ax 0x00000031 mov ecx, dword ptr [esp] 0x00000034 push dword ptr [esp+20h] 0x00000038 retn 0024h 0x0000003b mov eax, 12F33EA2h 0x00000040 xor cl, 00000044h 0x00000043 jnl 00007FE5150D14E0h 0x00000049 pushfd 0x0000004a mov dx, cx 0x0000004d mov dh, 56h 0x0000004f lea eax, dword ptr [ebx-03h] 0x00000052 lea ecx, dword ptr [ecx-0F5291AAh] 0x00000058 lea esp, dword ptr [esp+04h] 0x0000005c sub ebp, 1284C013h 0x00000062 call 00007FE5150D141Ch 0x00000067 mov ecx, dword ptr [esp] 0x0000006a rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A396 second address: 000000006CD3A359 instructions: 0x00000000 rdtsc 0x00000002 bswap ecx 0x00000004 mov dh, byte ptr [esp] 0x00000007 jmp 00007FE5150D12D8h 0x0000000c add esi, 02h 0x0000000f btr cx, ax 0x00000013 jno 00007FE5150D14DDh 0x00000019 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A359 second address: 000000006CD3A2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5151CE561h 0x00000007 not cl 0x00000009 call 00007FE5151CE65Dh 0x0000000e lea edx, dword ptr [00000000h+esi*4] 0x00000015 mov cx, E8B9h 0x00000019 rcl dx, cl 0x0000001c btc cx, ax 0x00000020 xchg al, cl 0x00000022 jmp 00007FE5151CE5D9h 0x00000024 xchg dword ptr [esp], edi 0x00000027 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A2DB second address: 000000006CD3A2D0 instructions: 0x00000000 rdtsc 0x00000002 btc eax, ebx 0x00000005 mov eax, edx 0x00000007 xchg ch, ah 0x00000009 lea edi, dword ptr [edi-0004D459h] 0x0000000f jmp 00007FE5150D13D8h 0x00000011 mov eax, edi 0x00000013 mov dx, EA8Dh 0x00000017 lea ecx, dword ptr [ebx+52h] 0x0000001a xchg dword ptr [esp], edi 0x0000001d bswap edx 0x0000001f rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3A2D0 second address: 000000006CCECE3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE5151CE665h 0x00000004 push dword ptr [esp] 0x00000007 retn 0004h 0x0000000a movzx ecx, byte ptr [ebp+00h] 0x0000000e jmp 00007FE5151CE5EFh 0x00000010 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD49DB9 second address: 000000006CD49ED1 instructions: 0x00000000 rdtsc 0x00000002 setnle cl 0x00000005 setb cl 0x00000008 jmp 00007FE5151CE661h 0x0000000a sub edi, 08h 0x0000000d xchg ch, cl 0x0000000f bsr ecx, ebx 0x00000012 je 00007FE5151CE5F2h 0x00000014 jne 00007FE5151CEE03h 0x0000001a neg ch 0x0000001c jmp 00007FE5151CE4EFh 0x00000021 pushad 0x00000022 xchg eax, esi 0x00000023 sub esp, 0Fh 0x00000026 jbe 00007FE5151CE591h 0x0000002c xchg word ptr [esp+06h], ax 0x00000031 mov dx, 2507h 0x00000035 lea esp, dword ptr [esp+03h] 0x00000039 mov dword ptr [esp+24h], edi 0x0000003d lea esp, dword ptr [esp+0Ch] 0x00000041 jmp 00007FE5151CE01Fh 0x00000046 popad 0x00000047 mov dword ptr [ecx], edx 0x00000049 jmp 00007FE5151CE545h 0x0000004e rcr ch, cl 0x00000050 jbe 00007FE5151CE5F8h 0x00000052 setno ch 0x00000055 jmp 00007FE5151CE650h 0x00000057 mov edx, edi 0x00000059 add edx, 04h 0x0000005c jnl 00007FE5151CE5E3h 0x0000005e jmp 00007FE5151CE5FAh 0x00000060 mov dword ptr [edx], eax 0x00000062 bsf eax, ebp 0x00000065 call 00007FE5151CE623h 0x0000006a pop word ptr [esp] 0x0000006e lea esp, dword ptr [esp+02h] 0x00000072 call 00007FE5151CE616h 0x00000077 jmp 00007FE5151CE64Ch 0x00000079 shl eax, 03h 0x0000007c lea edx, dword ptr [00000000h+ebp*4] 0x00000083 inc cx 0x00000085 lea ecx, dword ptr [eax+edi] 0x00000088 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4FABF second address: 000000006CD01849 instructions: 0x00000000 rdtsc 0x00000002 sub esp, 03h 0x00000005 jl 00007FE5150D1437h 0x00000007 mov word ptr [esp], sp 0x0000000b push word ptr [esp+02h] 0x00000010 sub esp, 16h 0x00000013 lea esp, dword ptr [esp+03h] 0x00000017 jmp 00007FE5150D15BAh 0x0000001c sub esi, 08h 0x0000001f pushad 0x00000020 cmc 0x00000021 jl 00007FE5150D1302h 0x00000027 jnl 00007FE5150D12FCh 0x0000002d call 00007FE5150D13E1h 0x00000032 pop dword ptr [esp+10h] 0x00000036 jmp 00007FE5150D13E6h 0x00000038 xchg edx, ecx 0x0000003a clc 0x0000003b jnp 00007FE5150D1419h 0x0000003d jp 00007FE5150D1417h 0x0000003f mov dword ptr [esi], ecx 0x00000041 jmp 00007FE5150D1453h 0x00000043 mov ch, 19h 0x00000045 mov cx, 60D1h 0x00000049 lea ecx, dword ptr [00000000h+ebx*4] 0x00000050 bsr ecx, edi 0x00000053 jle 00007FE5150D13CFh 0x00000055 jnle 00007FE5150D13CDh 0x00000057 jmp 00007FE5150D13EAh 0x00000059 mov ecx, esi 0x0000005b jmp 00007FE5150D1416h 0x0000005d add ecx, 04h 0x00000060 jmp 00007FE5150D144Fh 0x00000062 jne 00007FE5150D13B7h 0x00000064 mov dword ptr [ecx], eax 0x00000066 bswap eax 0x00000068 mov ecx, esi 0x0000006a jmp 00007FE515083086h 0x0000006f rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4E930 second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 call 00007FE5151CE616h 0x00000007 sub edi, 08h 0x0000000a jmp 00007FE5151CE616h 0x0000000c pushad 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 add esp, 16h 0x00000014 jo 00007FE5151CF6C5h 0x0000001a pop dword ptr [esp] 0x0000001d jmp 00007FE5151CF79Ah 0x00000022 lea esp, dword ptr [esp+01h] 0x00000026 jmp 00007FE5151CE513h 0x0000002b mov dword ptr [edi], edx 0x0000002d mov dx, cx 0x00000030 setp dh 0x00000033 mov edx, ebx 0x00000035 jmp 00007FE5151CE63Eh 0x00000037 xchg eax, ecx 0x00000038 mov dx, word ptr [esp] 0x0000003c bt edx, edx 0x0000003f jnl 00007FE5151CE5F0h 0x00000041 bt edx, esi 0x00000044 lea edx, dword ptr [00000000h+ebx*4] 0x0000004b jmp 00007FE5151CE648h 0x0000004d mov dword ptr [edi+04h], ecx 0x00000050 bswap ecx 0x00000052 rol cl, 00000006h 0x00000055 jp 00007FE5151CE5EAh 0x00000057 dec ecx 0x00000058 jmp 00007FE515183C2Dh 0x0000005d jmp 00007FE5151CE658h 0x0000005f stc 0x00000060 jnle 00007FE5151CE5C9h 0x00000062 bsf cx, di 0x00000066 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4E930 second address: 000000006CD05094 instructions: 0x00000000 rdtsc 0x00000002 call 00007FE5151CE616h 0x00000007 sub edi, 08h 0x0000000a jmp 00007FE5151CE616h 0x0000000c pushad 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 add esp, 16h 0x00000014 jo 00007FE5151CF6C5h 0x0000001a pop dword ptr [esp] 0x0000001d jmp 00007FE5151CF79Ah 0x00000022 lea esp, dword ptr [esp+01h] 0x00000026 jmp 00007FE5151CE513h 0x0000002b mov dword ptr [edi], edx 0x0000002d mov dx, cx 0x00000030 setp dh 0x00000033 mov edx, ebx 0x00000035 jmp 00007FE5151CE63Eh 0x00000037 xchg eax, ecx 0x00000038 mov dx, word ptr [esp] 0x0000003c bt edx, edx 0x0000003f jnl 00007FE5151CE5F0h 0x00000041 bt edx, esi 0x00000044 lea edx, dword ptr [00000000h+ebx*4] 0x0000004b jmp 00007FE5151CE648h 0x0000004d mov dword ptr [edi+04h], ecx 0x00000050 bswap ecx 0x00000052 rol cl, 00000006h 0x00000055 jp 00007FE5151CE5EAh 0x00000057 jnp 00007FE5151CE5EFh 0x00000059 dec ecx 0x0000005a jmp 00007FE515183C26h 0x0000005f jmp 00007FE5151CE658h 0x00000061 stc 0x00000062 jnle 00007FE5151CE5C9h 0x00000064 bsf cx, di 0x00000068 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD4E930 second address: 000000006CD0504B instructions: 0x00000000 rdtsc 0x00000002 call 00007FE5150D1406h 0x00000007 sub edi, 08h 0x0000000a jmp 00007FE5150D1406h 0x0000000c pushad 0x0000000d lea esp, dword ptr [esp+01h] 0x00000011 add esp, 16h 0x00000014 jo 00007FE5150D24B5h 0x0000001a pop dword ptr [esp] 0x0000001d jmp 00007FE5150D258Ah 0x00000022 lea esp, dword ptr [esp+01h] 0x00000026 jmp 00007FE5150D1303h 0x0000002b mov dword ptr [edi], edx 0x0000002d mov dx, cx 0x00000030 setp dh 0x00000033 mov edx, ebx 0x00000035 jmp 00007FE5150D142Eh 0x00000037 xchg eax, ecx 0x00000038 mov dx, word ptr [esp] 0x0000003c bt edx, edx 0x0000003f jnl 00007FE5150D13E0h 0x00000041 bt edx, esi 0x00000044 lea edx, dword ptr [00000000h+ebx*4] 0x0000004b jmp 00007FE5150D1438h 0x0000004d mov dword ptr [edi+04h], ecx 0x00000050 bswap ecx 0x00000052 rol cl, 00000006h 0x00000055 jp 00007FE5150D13DAh 0x00000057 jnp 00007FE5150D13DFh 0x00000059 dec ecx 0x0000005a jmp 00007FE515086A16h 0x0000005f jmp 00007FE5150D1448h 0x00000061 stc 0x00000062 jnle 00007FE5150D13B9h 0x00000064 bsf cx, di 0x00000068 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3B7D0 second address: 000000006CD3271D instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 js 00007FE5151CE71Fh 0x00000009 cmc 0x0000000a cmc 0x0000000b jmp 00007FE5151CE6C9h 0x00000010 sub ebp, 08h 0x00000013 pushad 0x00000014 pop word ptr [esp+05h] 0x00000019 jmp 00007FE5151CE59Ch 0x0000001b lea esp, dword ptr [esp+02h] 0x0000001f xchg edx, ecx 0x00000021 call 00007FE5151CE5F4h 0x00000026 mov word ptr [esp], si 0x0000002a pop word ptr [esp] 0x0000002e lea esp, dword ptr [esp+02h] 0x00000032 jmp 00007FE5151CE641h 0x00000034 mov dword ptr [ebp+00h], ecx 0x00000037 pushfd 0x00000038 neg cx 0x0000003b jnp 00007FE5151CE5EDh 0x0000003d mov cx, word ptr [esp+03h] 0x00000042 lea ecx, dword ptr [edx-000000F7h] 0x00000048 jmp 00007FE5151CE62Ch 0x0000004a mov dword ptr [ebp+04h], eax 0x0000004d mov ax, sp 0x00000050 mov ecx, dword ptr [esp] 0x00000053 jmp 00007FE5151C53DAh 0x00000058 jmp 00007FE5151CE6FEh 0x0000005d xchg eax, ecx 0x0000005e rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006CD3B7D0 second address: 000000006CD3271D instructions: 0x00000000 rdtsc 0x00000002 clc 0x00000003 js 00007FE5150D150Fh 0x00000009 cmc 0x0000000a cmc 0x0000000b jmp 00007FE5150D14B9h 0x00000010 sub ebp, 08h 0x00000013 pushad 0x00000014 pop word ptr [esp+05h] 0x00000019 jmp 00007FE5150D138Ch 0x0000001b lea esp, dword ptr [esp+02h] 0x0000001f xchg edx, ecx 0x00000021 call 00007FE5150D13E4h 0x00000026 mov word ptr [esp], si 0x0000002a pop word ptr [esp] 0x0000002e lea esp, dword ptr [esp+02h] 0x00000032 jmp 00007FE5150D1431h 0x00000034 mov dword ptr [ebp+00h], ecx 0x00000037 pushfd 0x00000038 neg cx 0x0000003b jnp 00007FE5150D13DDh 0x0000003d mov cx, word ptr [esp+03h] 0x00000042 lea ecx, dword ptr [edx-000000F7h] 0x00000048 jmp 00007FE5150D141Ch 0x0000004a mov dword ptr [ebp+04h], eax 0x0000004d mov ax, sp 0x00000050 mov ecx, dword ptr [esp] 0x00000053 jmp 00007FE5150C81CAh 0x00000058 jmp 00007FE5150D14EEh 0x0000005d xchg eax, ecx 0x0000005e rdtsc

Source: C:\Windows\SysWOW64\rundll32.exe TID: 4428

Thread sleep time: -40000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CDD74E3 rdtsc

3_2_6CDD74E3

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 1.4 %

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Hides threads from debuggers

Source: rundll32.exe, 0000000F.00000002.832575325.0000000005356000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: rundll32.exe, 00000003.00000002.1007804691.0000000002D5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1007804691.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000003.00000002.1007804691.0000000002D3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(y
Source: rundll32.exe, 0000000F.00000002.832575325.0000000005356000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: rundll32.exe, 00000005.00000002.628305974.0000000002FDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6CDD74E3 rdtsc

3_2_6CDD74E3

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFF0A4 mov esi, dword ptr fs:[00000030h]	0_2_00EFF0A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF68A2 mov eax, dword ptr fs:[00000030h]	0_2_00EF68A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF68A2 mov eax, dword ptr fs:[00000030h]	0_2_00EF68A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF68A2 mov eax, dword ptr fs:[00000030h]	0_2_00EF68A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF68A2 mov eax, dword ptr fs:[00000030h]	0_2_00EF68A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF68A2 mov ecx, dword ptr fs:[00000030h]	0_2_00EF68A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC806A mov ecx, dword ptr fs:[00000030h]	0_2_00EC806A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC806A mov eax, dword ptr fs:[00000030h]	0_2_00EC806A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF0868 mov eax, dword ptr fs:[00000030h]	0_2_00EF0868
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF0868 mov ecx, dword ptr fs:[00000030h]	0_2_00EF0868
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4852 mov eax, dword ptr fs:[00000030h]	0_2_00EC4852
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4852 mov eax, dword ptr fs:[00000030h]	0_2_00EC4852
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC7832 mov eax, dword ptr fs:[00000030h]	0_2_00EC7832
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC7832 mov eax, dword ptr fs:[00000030h]	0_2_00EC7832
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC7832 mov ecx, dword ptr fs:[00000030h]	0_2_00EC7832
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECB832 mov eax, dword ptr fs:[00000030h]	0_2_00ECB832
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECB832 mov eax, dword ptr fs:[00000030h]	0_2_00ECB832
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECB832 mov eax, dword ptr fs:[00000030h]	0_2_00ECB832
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEF1E5 mov eax, dword ptr fs:[00000030h]	0_2_00EEF1E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEF1E5 mov eax, dword ptr fs:[00000030h]	0_2_00EEF1E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC01F9 mov eax, dword ptr fs:[00000030h]	0_2_00EC01F9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE9FD mov eax, dword ptr fs:[00000030h]	0_2_00EBE9FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE9FD mov ecx, dword ptr fs:[00000030h]	0_2_00EBE9FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE9FD mov eax, dword ptr fs:[00000030h]	0_2_00EBE9FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE9FD mov eax, dword ptr fs:[00000030h]	0_2_00EBE9FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE9FD mov eax, dword ptr fs:[00000030h]	0_2_00EBE9FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE9FD mov eax, dword ptr fs:[00000030h]	0_2_00EBE9FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE69F2 mov eax, dword ptr fs:[00000030h]	0_2_00EE69F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE69F2 mov eax, dword ptr fs:[00000030h]	0_2_00EE69F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB49F4 mov eax, dword ptr fs:[00000030h]	0_2_00EB49F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB49F4 mov eax, dword ptr fs:[00000030h]	0_2_00EB49F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB49F4 mov eax, dword ptr fs:[00000030h]	0_2_00EB49F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC79C1 mov eax, dword ptr fs:[00000030h]	0_2_00EC79C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC79C1 mov eax, dword ptr fs:[00000030h]	0_2_00EC79C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC79C1 mov ecx, dword ptr fs:[00000030h]	0_2_00EC79C1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBB9B2 mov eax, dword ptr fs:[00000030h]	0_2_00EBB9B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBB9B2 mov ecx, dword ptr fs:[00000030h]	0_2_00EBB9B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F0696A mov ecx, dword ptr fs:[00000030h]	0_2_00F0696A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F0696A mov ecx, dword ptr fs:[00000030h]	0_2_00F0696A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE936 mov ecx, dword ptr fs:[00000030h]	0_2_00EBE936
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBE936 mov eax, dword ptr fs:[00000030h]	0_2_00EBE936
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECBAD2 mov eax, dword ptr fs:[00000030h]	0_2_00ECBAD2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F05AB5 mov eax, dword ptr fs:[00000030h]	0_2_00F05AB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F05AB5 mov ecx, dword ptr fs:[00000030h]	0_2_00F05AB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F05AB5 mov ecx, dword ptr fs:[00000030h]	0_2_00F05AB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F12A92 mov eax, dword ptr fs:[00000030h]	0_2_00F12A92
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F12A92 mov eax, dword ptr fs:[00000030h]	0_2_00F12A92
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F12A92 mov eax, dword ptr fs:[00000030h]	0_2_00F12A92
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F12A92 mov eax, dword ptr fs:[00000030h]	0_2_00F12A92
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBFA99 mov eax, dword ptr fs:[00000030h]	0_2_00EBFA99
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBFA99 mov eax, dword ptr fs:[00000030h]	0_2_00EBFA99
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBFA99 mov eax, dword ptr fs:[00000030h]	0_2_00EBFA99
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBFA99 mov eax, dword ptr fs:[00000030h]	0_2_00EBFA99
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBFA99 mov eax, dword ptr fs:[00000030h]	0_2_00EBFA99
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEEA01 mov eax, dword ptr fs:[00000030h]	0_2_00EEEA01
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEEA01 mov eax, dword ptr fs:[00000030h]	0_2_00EEEA01
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEFBFF mov eax, dword ptr fs:[00000030h]	0_2_00EEFBFF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEFBFF mov eax, dword ptr fs:[00000030h]	0_2_00EEFBFF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFBBCD mov eax, dword ptr fs:[00000030h]	0_2_00EFBBCD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFBBCD mov ecx, dword ptr fs:[00000030h]	0_2_00EFBBCD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4BAA mov ebx, dword ptr fs:[00000030h]	0_2_00EB4BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4BAA mov eax, dword ptr fs:[00000030h]	0_2_00EB4BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4BAA mov ecx, dword ptr fs:[00000030h]	0_2_00EB4BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4BAA mov eax, dword ptr fs:[00000030h]	0_2_00EB4BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE53BA mov eax, dword ptr fs:[00000030h]	0_2_00EE53BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE53BA mov eax, dword ptr fs:[00000030h]	0_2_00EE53BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE63B2 cmp dword ptr fs:[00000030h], ebx	0_2_00EE63B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE63B2 mov eax, dword ptr fs:[00000030h]	0_2_00EE63B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE63B2 mov eax, dword ptr fs:[00000030h]	0_2_00EE63B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE63B2 mov eax, dword ptr fs:[00000030h]	0_2_00EE63B2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6392 mov eax, dword ptr fs:[00000030h]	0_2_00EC6392
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6392 mov eax, dword ptr fs:[00000030h]	0_2_00EC6392
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6392 mov eax, dword ptr fs:[00000030h]	0_2_00EC6392
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6392 mov eax, dword ptr fs:[00000030h]	0_2_00EC6392
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF0B48 mov eax, dword ptr fs:[00000030h]	0_2_00EF0B48
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF0B48 mov ecx, dword ptr fs:[00000030h]	0_2_00EF0B48
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE4CEE mov eax, dword ptr fs:[00000030h]	0_2_00EE4CEE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFBCF9 mov eax, dword ptr fs:[00000030h]	0_2_00EFBCF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFBCF9 mov eax, dword ptr fs:[00000030h]	0_2_00EFBCF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFBCF9 mov eax, dword ptr fs:[00000030h]	0_2_00EFBCF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFBCF9 mov eax, dword ptr fs:[00000030h]	0_2_00EFBCF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFBCF9 mov ecx, dword ptr fs:[00000030h]	0_2_00EFBCF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFCCC8 mov eax, dword ptr fs:[00000030h]	0_2_00EFCCC8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFCCC8 mov ecx, dword ptr fs:[00000030h]	0_2_00EFCCC8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFCCC8 mov eax, dword ptr fs:[00000030h]	0_2_00EFCCC8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EBD4C2 mov eax, dword ptr fs:[00000030h]	0_2_00EBD4C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F05CCC mov eax, dword ptr fs:[00000030h]	0_2_00F05CCC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F05CCC mov ecx, dword ptr fs:[00000030h]	0_2_00F05CCC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F05CCC mov ecx, dword ptr fs:[00000030h]	0_2_00F05CCC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB6482 mov eax, dword ptr fs:[00000030h]	0_2_00EB6482
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB6482 mov eax, dword ptr fs:[00000030h]	0_2_00EB6482
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB6482 mov eax, dword ptr fs:[00000030h]	0_2_00EB6482
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE5490 mov eax, dword ptr fs:[00000030h]	0_2_00EE5490
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE5490 mov ecx, dword ptr fs:[00000030h]	0_2_00EE5490
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4472 mov eax, dword ptr fs:[00000030h]	0_2_00EC4472
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4472 mov eax, dword ptr fs:[00000030h]	0_2_00EC4472
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF0428 mov eax, dword ptr fs:[00000030h]	0_2_00EF0428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F12C24 mov eax, dword ptr fs:[00000030h]	0_2_00F12C24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC45F2 mov eax, dword ptr fs:[00000030h]	0_2_00EC45F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC45F2 mov eax, dword ptr fs:[00000030h]	0_2_00EC45F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECBDC9 mov eax, dword ptr fs:[00000030h]	0_2_00ECBDC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE6DD6 mov eax, dword ptr fs:[00000030h]	0_2_00EE6DD6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE6DD6 mov eax, dword ptr fs:[00000030h]	0_2_00EE6DD6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F12DCE mov eax, dword ptr fs:[00000030h]	0_2_00F12DCE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB75A2 mov eax, dword ptr fs:[00000030h]	0_2_00EB75A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFCDA4 mov eax, dword ptr fs:[00000030h]	0_2_00EFCDA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6598 mov eax, dword ptr fs:[00000030h]	0_2_00EC6598
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6598 mov eax, dword ptr fs:[00000030h]	0_2_00EC6598
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8592 mov eax, dword ptr fs:[00000030h]	0_2_00EC8592
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8592 mov eax, dword ptr fs:[00000030h]	0_2_00EC8592
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8592 mov eax, dword ptr fs:[00000030h]	0_2_00EC8592
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8592 mov eax, dword ptr fs:[00000030h]	0_2_00EC8592
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8592 mov eax, dword ptr fs:[00000030h]	0_2_00EC8592
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC8592 mov eax, dword ptr fs:[00000030h]	0_2_00EC8592
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6D2E mov eax, dword ptr fs:[00000030h]	0_2_00EC6D2E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6D2E mov eax, dword ptr fs:[00000030h]	0_2_00EC6D2E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6D2E mov eax, dword ptr fs:[00000030h]	0_2_00EC6D2E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF652C mov eax, dword ptr fs:[00000030h]	0_2_00EF652C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EF652C mov ecx, dword ptr fs:[00000030h]	0_2_00EF652C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6530 mov eax, dword ptr fs:[00000030h]	0_2_00EC6530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6530 mov eax, dword ptr fs:[00000030h]	0_2_00EC6530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6530 mov eax, dword ptr fs:[00000030h]	0_2_00EC6530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6530 mov eax, dword ptr fs:[00000030h]	0_2_00EC6530
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC7EC1 mov ecx, dword ptr fs:[00000030h]	0_2_00EC7EC1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC7EC1 mov eax, dword ptr fs:[00000030h]	0_2_00EC7EC1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F066C2 mov eax, dword ptr fs:[00000030h]	0_2_00F066C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F066C2 mov ecx, dword ptr fs:[00000030h]	0_2_00F066C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F066C2 mov ecx, dword ptr fs:[00000030h]	0_2_00F066C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC46A6 mov eax, dword ptr fs:[00000030h]	0_2_00EC46A6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC46A6 mov eax, dword ptr fs:[00000030h]	0_2_00EC46A6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC76B9 mov eax, dword ptr fs:[00000030h]	0_2_00EC76B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC76B9 mov eax, dword ptr fs:[00000030h]	0_2_00EC76B9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB5672 mov ecx, dword ptr fs:[00000030h]	0_2_00EB5672
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9E77 mov eax, dword ptr fs:[00000030h]	0_2_00EC9E77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9E77 mov eax, dword ptr fs:[00000030h]	0_2_00EC9E77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9E77 mov eax, dword ptr fs:[00000030h]	0_2_00EC9E77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9E77 mov eax, dword ptr fs:[00000030h]	0_2_00EC9E77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9E77 mov eax, dword ptr fs:[00000030h]	0_2_00EC9E77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC9E77 mov eax, dword ptr fs:[00000030h]	0_2_00EC9E77
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC5E72 mov eax, dword ptr fs:[00000030h]	0_2_00EC5E72
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC5E72 mov eax, dword ptr fs:[00000030h]	0_2_00EC5E72
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC5E72 mov eax, dword ptr fs:[00000030h]	0_2_00EC5E72
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC5E72 mov eax, dword ptr fs:[00000030h]	0_2_00EC5E72
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEDE22 mov eax, dword ptr fs:[00000030h]	0_2_00EEDE22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEDE22 mov eax, dword ptr fs:[00000030h]	0_2_00EEDE22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE4E20 mov eax, dword ptr fs:[00000030h]	0_2_00EE4E20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECBE22 mov eax, dword ptr fs:[00000030h]	0_2_00ECBE22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECBE22 mov eax, dword ptr fs:[00000030h]	0_2_00ECBE22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00ECBE22 mov eax, dword ptr fs:[00000030h]	0_2_00ECBE22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F03628 mov eax, dword ptr fs:[00000030h]	0_2_00F03628
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F03628 mov ecx, dword ptr fs:[00000030h]	0_2_00F03628
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB47EF mov eax, dword ptr fs:[00000030h]	0_2_00EB47EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB47EF mov eax, dword ptr fs:[00000030h]	0_2_00EB47EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4FE2 mov eax, dword ptr fs:[00000030h]	0_2_00EB4FE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4FE2 mov ecx, dword ptr fs:[00000030h]	0_2_00EB4FE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4FE2 mov eax, dword ptr fs:[00000030h]	0_2_00EB4FE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB7FF9 mov eax, dword ptr fs:[00000030h]	0_2_00EB7FF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB7FF9 mov eax, dword ptr fs:[00000030h]	0_2_00EB7FF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB7FF9 mov eax, dword ptr fs:[00000030h]	0_2_00EB7FF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC47AE mov eax, dword ptr fs:[00000030h]	0_2_00EC47AE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEDFA8 mov eax, dword ptr fs:[00000030h]	0_2_00EEDFA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEDFA8 mov ecx, dword ptr fs:[00000030h]	0_2_00EEDFA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEF7B3 mov eax, dword ptr fs:[00000030h]	0_2_00EEF7B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEF7B3 mov eax, dword ptr fs:[00000030h]	0_2_00EEF7B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEF7B3 mov eax, dword ptr fs:[00000030h]	0_2_00EEF7B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F08F94 mov eax, dword ptr fs:[00000030h]	0_2_00F08F94
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00F08F94 mov ecx, dword ptr fs:[00000030h]	0_2_00F08F94
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB6782 mov eax, dword ptr fs:[00000030h]	0_2_00EB6782
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB6782 mov ecx, dword ptr fs:[00000030h]	0_2_00EB6782
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB6782 mov eax, dword ptr fs:[00000030h]	0_2_00EB6782
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4F82 mov eax, dword ptr fs:[00000030h]	0_2_00EC4F82
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC4F82 mov eax, dword ptr fs:[00000030h]	0_2_00EC4F82
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE679A mov eax, dword ptr fs:[00000030h]	0_2_00EE679A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EE679A mov eax, dword ptr fs:[00000030h]	0_2_00EE679A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6F2C mov eax, dword ptr fs:[00000030h]	0_2_00EC6F2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6F2C mov eax, dword ptr fs:[00000030h]	0_2_00EC6F2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6F2C mov eax, dword ptr fs:[00000030h]	0_2_00EC6F2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EC6F2C mov eax, dword ptr fs:[00000030h]	0_2_00EC6F2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EFA735 mov eax, dword ptr fs:[00000030h]	0_2_00EFA735
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB5702 mov eax, dword ptr fs:[00000030h]	0_2_00EB5702
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB5702 mov ecx, dword ptr fs:[00000030h]	0_2_00EB5702
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EB4702 mov eax, dword ptr fs:[00000030h]	0_2_00EB4702
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEFF1E mov eax, dword ptr fs:[00000030h]	0_2_00EEFF1E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00EEFF1E mov eax, dword ptr fs:[00000030h]	0_2_00EEFF1E

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 15.228.77.178 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Domain query: ebaoffice.com.br
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 187.45.187.42 443	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",#1

Source: loaddll32.exe, 00000000.00000003.538203445.0000000002998000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.647510965.0000000002CD1000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1010130762.0000000004DAA000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: rundll32.exe, 00000003.00000002.1011503402.0000000005038000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: loaddll32.exe, 00000000.00000003.538203445.0000000002998000.00000004.00000800.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.647510965.0000000002CD1000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1010130762.0000000004DAA000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Windows\SysWOW64\rundll32.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Source: rundll32.exe, 00000003.00000002.1007804691.0000000002D5B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	112 Process Injection	1 Masquerading	21 Input Capture	341 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	121 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	112 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Deobfuscate/Decode Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	21 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Rundll32	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	58%	ReversingLabs	Win32.Trojan.Barys
SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	63%	Virustotal		Browse
SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
ebaoffice.com.br	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
http://crl.micro	0%	URL Reputation	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.php	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpcU	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpL	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpV	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phporyHistory.IE5	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpe	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/t	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpr	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/m%	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php2	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpp	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpz	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php9	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php4	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php6	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpx	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php...	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php_sC:	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpHistory	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.php	100%	Avira URL Cloud	malware
https://ebaoffice.com.br/imagens/bo/inspecionando.ph	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpF	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpH	0%	Avira URL Cloud	safe
https://ebaoffice.com.br/imagens/bo/inspecionando.phpofRA	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ebaoffice.com.br	187.45.187.42	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ebaoffice.com.br/imagens/bo/inspecionando.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ebaoffice.com.br/imagens/bo/inspecionando.phpcU	rundll32.exe, 00000005.00000002.628305974.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpL	rundll32.exe, 00000003.00000002.1007804691.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpV	rundll32.exe, 00000003.00000002.1007804691.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phps/bo/inspecionando.phpo.php	rundll32.exe, 00000003.00000002.1007804691.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phporyHistory.IE5	rundll32.exe, 00000003.00000002.1007804691.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/t	rundll32.exe, 00000005.00000002.628305974.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	rundll32.exe, rundll32.exe, 00000003.00000002.1014696634.000000006AF59000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.1011503402.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.742376267.000000006AF59000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.725061641.0000000005200000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.704747309.000000006AF59000.00000040.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpe	rundll32.exe, 00000003.00000002.1007804691.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php2	rundll32.exe, 00000003.00000002.1007804691.0000000002D90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.628305974.000000000301F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.628305974.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpr	rundll32.exe, 00000003.00000002.1007804691.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpp	rundll32.exe, 00000005.00000002.628305974.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/m%	rundll32.exe, 00000003.00000002.1007804691.0000000002D46000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micro	rundll32.exe, 00000003.00000002.1013104330.0000000007010000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpz	rundll32.exe, 00000005.00000002.628305974.000000000301F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php9	rundll32.exe, 00000003.00000002.1007804691.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpx	rundll32.exe, 00000003.00000002.1007804691.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.628305974.0000000002FE6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/	rundll32.exe, 00000003.00000002.1007804691.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.628305974.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php6	rundll32.exe, 00000005.00000002.628305974.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php4	rundll32.exe, 00000005.00000002.628239248.0000000000A55000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phputllib.dll.DLL	rundll32.exe, 00000005.00000002.628239248.0000000000A55000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php...	rundll32.exe, 00000003.00000002.1007804691.0000000002D5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.php_sC:	rundll32.exe, 00000003.00000002.1013104330.0000000007010000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpHistory	rundll32.exe, 00000005.00000002.628305974.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.ph	rundll32.exe, 00000003.00000002.1013104330.0000000007010000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpH	rundll32.exe, 00000003.00000002.1007804691.0000000002D90000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpF	rundll32.exe, 00000005.00000002.628305974.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ebaoffice.com.br/imagens/bo/inspecionando.phpofRA	rundll32.exe, 00000003.00000002.1007804691.0000000002D5B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
15.228.77.178	unknown	United States		16509	AMAZON-02US	true
187.45.187.42	ebaoffice.com.br	Brazil		33182	DIMENOCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1280994
Start date and time:	2023-07-27 11:42:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll
Detection:	MAL
Classification:	mal88.evad.winDLL@27/7@1/3
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): WerFault.exe, WMIADAP.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20
Excluded domains from analysis (whitelisted): blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, watson.telemetry.microsoft.com
Execution Graph export aborted for target loaddll32.exe, PID 5292 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:44:12	API Interceptor	1x Sleep call for process: rundll32.exe modified
11:44:17	API Interceptor	1x Sleep call for process: loaddll32.exe modified
11:44:47	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:44:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe C:\Windows\SysWOW64\rundll32.exe
11:45:16	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
15.228.77.178	f_4_T_u_r_4_34536_45645_3345_wo.msi	Get hash	malicious	Unknown	Browse
	n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi	Get hash	malicious	Unknown	Browse
	n_f_3_f_1_s_k_4_l.msi	Get hash	malicious	Unknown	Browse
	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	Get hash	malicious	Unknown	Browse
	z12A____o-Trabalhista.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	rPEDIDOS-10032023-X491kkum.msi	Get hash	malicious	Unknown	Browse
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse
	PEDIDOS-08032023-X388omke.msi	Get hash	malicious	Unknown	Browse
	Nota-LG-emitida-13488mhqt.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse
	rPedido-Danfe-03-03-202316872pnlc.msi	Get hash	malicious	Unknown	Browse
	Autos-Processo 27-02-2023 ligh.msi	Get hash	malicious	Unknown	Browse
	rEmita-Danfe-01-03-20234076czdg.msi	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ebaoffice.com.br	f_4_T_u_r_4_34536_45645_3345_wo.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	n_f_3_f_1_s_k_4_l.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	z93nf_e_mnhhh345553.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	z1n_f_e_Fa_tu_r4_03.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse	187.45.187.42
	__B0L3T0_06Marc_23_f4tur4__.msi	Get hash	malicious	Unknown	Browse	187.45.187.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Vj9IqABtkW.exe	Get hash	malicious	Njrat	Browse	3.121.139.82
	CBaxoveJtw.exe	Get hash	malicious	FormBook, GuLoader	Browse	13.248.169.48
	http://gvehealth.com/2681688if6964650sh583289000KO14098WL2LCu185894sA	Get hash	malicious	Unknown	Browse	54.184.24.62
	https://b9halom2.page.link/dmCn	Get hash	malicious	Unknown	Browse	3.71.149.231
	PO_DP-06423.xlam.xlsx	Get hash	malicious	Unknown	Browse	13.224.103.58
	FACTURA_53769.xlam.xlsx	Get hash	malicious	Unknown	Browse	13.224.103.129
	IMG_3846.JPG.........................scr.exe	Get hash	malicious	AveMaria	Browse	3.135.209.48
	doc_pago_de_la_factura_11-369013.xlam.xlsx	Get hash	malicious	Unknown	Browse	13.224.103.129
	cenov#U00e1_nab#U00eddka_a_specifikace.xla.xlsx	Get hash	malicious	Unknown	Browse	13.224.103.129
	http://staging.talentegg.ca/redirect/company/1838/54828?destination=https://SWISSLIFE.fklavye.org.tr/dmF0LnNlcnZpY2VzQHN3aXNzbGlmZS5jb20=	Get hash	malicious	HTMLPhisher	Browse	18.190.15.219
	https://launcher-public-service-prod06.ol.epicgames.com/launcher/api/installer/download/EpicGamesLauncherInstaller.msi?productName=twinmotion	Get hash	malicious	Unknown	Browse	13.225.78.57
	New_Order_Inquiry.xla.xlsx	Get hash	malicious	Unknown	Browse	13.224.103.87
	http://t.1800petmeds.com/track?t=c&mid=26061&eid=LORI@NEXTSTEPMINISTRIES.NET&extra=2&&&http://w1ph62.aynacigold.com/RHVsbGFoLk1hemxhbkBkZW1lLm9ubWljcm9zb2Z0LmNvbQ==	Get hash	malicious	Unknown	Browse	3.127.67.224
	http://t.1800petmeds.com/track?t=c&mid=26061&eid=LORI@NEXTSTEPMINISTRIES.NET&extra=2&&&http://w1ph62.aynacigold.com/RHVsbGFoLk1hemxhbkBkZW1lLm9ubWljcm9zb2Z0LmNvbQ==	Get hash	malicious	Unknown	Browse	3.127.67.224
	Endpoint Agent for Architects , Inc-x64-1.166.1.msi	Get hash	malicious	Unknown	Browse	99.83.250.143
	system32.vbs	Get hash	malicious	AgentTesla	Browse	108.138.36.12
	https://mg3260068.cc/index.html?shareName=mg3260068.cc	Get hash	malicious	Unknown	Browse	108.138.7.4
	message_zdm.html	Get hash	malicious	Unknown	Browse	65.9.66.24
	u1LwUkKDIF.exe	Get hash	malicious	Njrat	Browse	18.157.68.73
	https://disq.us/url?url=https%3A%2F%2Fieseainela-al.com%2F%3AsseHnNRH9eimVvdyXoRGEoL_wz4&cuid=2751344	Get hash	malicious	Unknown	Browse	3.138.114.145

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	Remittance_copy.exe	Get hash	malicious	GuLoader, Lokibot	Browse	187.45.187.42
	Invoices.lnk	Get hash	malicious	Unknown	Browse	187.45.187.42
	Payment_Document.lnk	Get hash	malicious	Unknown	Browse	187.45.187.42
	pikabot_core.dll	Get hash	malicious	Unknown	Browse	187.45.187.42
	pikabot_core.dll	Get hash	malicious	Unknown	Browse	187.45.187.42
	SecuriteInfo.com.Trojan.Heur2.sNW@If4VDppi.27877.25664.exe	Get hash	malicious	Unknown	Browse	187.45.187.42
	SecuriteInfo.com.Adware.Zaxar.111.16621.29357.dll	Get hash	malicious	Unknown	Browse	187.45.187.42
	1.exe	Get hash	malicious	Targeted Ransomware, TrojanRansom	Browse	187.45.187.42
	kMyL3tnxhT.exe	Get hash	malicious	SmokeLoader, Vidar	Browse	187.45.187.42
	0acR8HLrwO.exe	Get hash	malicious	Vidar	Browse	187.45.187.42
	New_Inquiry_List.exe	Get hash	malicious	GuLoader	Browse	187.45.187.42
	lllll.bin.exe	Get hash	malicious	AresLoader	Browse	187.45.187.42
	NOUVELLE_COMMANDE_-pdf.exe	Get hash	malicious	GuLoader	Browse	187.45.187.42
	Yfq7dvvNOA.exe	Get hash	malicious	Babuk, Djvu	Browse	187.45.187.42
	NOUVELLE_COMMANDE_-pdf.exe	Get hash	malicious	GuLoader	Browse	187.45.187.42
	Csz05luwlg.exe	Get hash	malicious	Unknown	Browse	187.45.187.42
	copia_de_la_transferencia.exe	Get hash	malicious	FormBook, GuLoader	Browse	187.45.187.42
	IAENMAIL.-A4-230726-0830-0002632.pdf.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	187.45.187.42
	Sis.exe	Get hash	malicious	FormBook, GuLoader	Browse	187.45.187.42
	CamScanner_07-25-2023.vbs	Get hash	malicious	Remcos	Browse	187.45.187.42

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d862df93e87cd362728fa3756347b64a4da65e6_82810a17_1bd8fe06\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0274019958106573
Encrypted:	false
SSDEEP:	192:ibii0oXuHBUZMX4jed+ysKCT/u7s5S274ItWc:mikXmBUZMX4jeK/u7s5X4ItWc
MD5:	7402F3022E19CD11599584AA0125786D
SHA1:	A334120E4485087CF126A52B80D36A3A9DD12004
SHA-256:	FCA2337A9CBAF7230E945970CCCB539E0913A7AF2EE91D5E45090E60EA71C83B
SHA-512:	2FA3D596F072B4E0453364D5E15C20CE1565A0737FD6B4480EE1DD896C38DA3A700B71D98EF96B0F9ADED8E3EDCB13E00A0BE643909A4B23149CE0BD50391BEF
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.4.9.5.7.0.5.4.1.9.5.3.4.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.4.9.5.7.0.7.5.3.5.1.5.8.5.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.e.a.d.9.9.8.b.-.3.9.b.1.-.4.e.4.f.-.8.4.9.2.-.c.3.a.8.9.3.c.6.9.2.6.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.e.9.a.7.e.e.2.-.f.f.8.4.-.4.9.8.b.-.9.a.1.a.-.0.6.a.f.e.5.4.c.3.6.1.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.d.c.-.0.0.0.1.-.0.0.1.a.-.b.4.3.5.-.a.5.3.1.b.a.c.0.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D7C.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Jul 27 18:44:18 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	54192
Entropy (8bit):	2.044825611858494
Encrypted:	false
SSDEEP:	192:wJEKlat5e8DicLA/O5SkbB3v46rOs+Txtk1cxN4Fc+nmJ6:QUiQA25LbBf465+TLxN4bm
MD5:	41E1B6419A241BC8F80CBF24C2822729
SHA1:	C088F90A1E9D03DA383C16ADD3C989CB3AA41134
SHA-256:	0902920F8D58392A3F7D71B27A075CD1F9CEA30D65894BAE424A902429AF4582
SHA-512:	E43FC5D7C215F6B01AFCC97AF78BB35CF91CD790D5BE62F8506D0C5D02952A93B280A101F4D332D1F2E60DC8172E785B33E5956FFF001825EAE0CC433EDFD706
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... ..........d....................................4....7..........T.......8...........T...........p...@........................!...................................................................U...........B......`"......GenuineIntelW...........T..............d.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER91A1.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8368
Entropy (8bit):	3.6956025732554405
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiC+6IS6Yv667VgmfThSICpri89bw0sfYvwm:RrlsNiT6V6Yi67VgmfThSLwnf+
MD5:	43A173FB5CA0B9526AA5FB63A72D6E8A
SHA1:	A688AF45822F91ABB9F98F07B65BCA135415170B
SHA-256:	23F24F1C0E965819956FE4F68FB833B113B8BCF946BA8B4677DC234484D74C00
SHA-512:	33648829A01B4B9AD7D746D8C1CE9C1BCB0C8362D9298EEACA42246713BB2F43153AD0916EC79A568F912553FAAD38B66D3F5589F3AA5E550DB4182B95917AED
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER981A.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4722
Entropy (8bit):	4.4924221060878144
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9YuWgc8sqYjLn8fm8M4JCdsr8kFyoX+q8/Wer+A4SrSgd:uITfhjPgrsqYMJx8aBeHDWgd
MD5:	50DFAFDED6981EDD63A81C5A271347C6
SHA1:	A4F84B512E262AC937CF7601FA3C656EBF5A8807
SHA-256:	900F8CB2B9901A4C23912D3C90468C5E1D1B29F8579AC4DB74685368C7FA496D
SHA-512:	8F9E2F34F002F85B3ACA9689832259612E3A99BC51D73F0193D71E5006F2C55AB05A38F5B8D4DC65788B1BBB29D03CEF4F9B2690D21A6CA97E9609FC4F858BC7
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2147274" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\468325

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	4.304229296672175
Encrypted:	false
SSDEEP:	3:1EypylDPG3y:1XpyA3y
MD5:	826568E057E1BCB36A1B75B08F0D32A4
SHA1:	2121022E539E3EB46CC61606088393A2E1043230
SHA-256:	53C745A5E88554008A5237C01000424A296DF5BCEED3C879B646932B86590531
SHA-512:	148E83CD24A1C78AE4F645253DDC2FDDA90FA66258960117B54CEEEE38775D0749416C182CF13FCB08C33F19C5937EBC92AE4DFBCFC90D6E67D867AC9A25BBD8
Malicious:	false
Reputation:	unknown
Preview:	[Generate Pasta]..hhBLffjcZgot..

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.293789859628353
Encrypted:	false
SSDEEP:	12288:SeePciY+chVEIriJrHiKBuO6TBinDhs9GaiZVe0YsOAmjqEVIXE4dieA:zePciY+chVHriJzAEVeF
MD5:	F353A200E88D1DD24BAB026FEF804E05
SHA1:	51C7E1D3EEAC37C4EED9AFC08E57E3438D42B9D0
SHA-256:	854030B7A067CA36E015B9934E9F43271F83D07A46D82239B48C2161939D6717
SHA-512:	96874ECCAED1F9D11EBB73CD5ED2B18C92006981F0BA30F7E211AF90899A0FB4B04E1E3B7836451C031F69C5DB6A63AD2632EFA5018B208FFA922E150BE02298
Malicious:	false
Reputation:	unknown
Preview:	regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...T................................................................................................................................................................................................................................................................................................................................................P0..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.7713595974354632
Encrypted:	false
SSDEEP:	384:Oe5/+/llYBA+3w6rINn88MTVgGbG+GODvkZJRUpM:Ow/+/llUA+HW88qVgGCkDvMUp
MD5:	72DB247B6590FFA6A343B30730AB2218
SHA1:	EDA831724A0B6FFCB6EA61AA5E99EFD7ECD9903D
SHA-256:	F1D47C6DF9B505CD5AC1228891E1A4AD78FB6B07D79C412B04483C79CFCBE7C2
SHA-512:	A616C9F08254E7FFDDE416954C77DE77067F8A87F4008A7B01941CE6A6B729B4802B48E94442A4EBD0FADA58F901D36636A08B75EC3FF0B9328DE0E8637AB2EB
Malicious:	false
Reputation:	unknown
Preview:	regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...T................................................................................................................................................................................................................................................................................................................................................V0..HvLE.^......]...........9._..'..w.E/.'(F............................. ..hbin................p.\..,..........nk,.`C.T.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .`C.T........ ........................... .......Z.......................Root........lf......Root....nk .`C.T.....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.865740040086561
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll
File size:	7'131'136 bytes
MD5:	d4257a85611eb9b8fc7da98ad7cd3b4c
SHA1:	10a8821bd70d4afa52388ca04480085b98ac9227
SHA256:	a7d13b0ae56c9d7759c0c20a5ea515760dffa8ea4fa366f9092e901b4579499b
SHA512:	396355dcb832bbd42bc6cf59e674cd984d1f025b857b35cd707f46657171b6163bc92a2eb55f652d250c13429960369a5f080d44b854148c98018e0dbd561a15
SSDEEP:	98304:waK8LG5Sz5CeP4BgLvNb5++Y+wUJ/0Z7mB2tNlXC6vbrFsVBnQgtCnoy:Jtw+6AdjZR4tTXCGNsVB3Coy
TLSH:	3576120FE85F8E7BF95B35BBD8A6907BC1620841A6A19DD0A75586C133E737206CF381
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x269e13c
Entrypoint Section:	.sedata
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x640A145F [Thu Mar 9 17:16:15 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	09c711a9d8dffafaecc3bc1dbbc1f663

Entrypoint Preview

Instruction
call 00007FE514C77A31h
push ebx
popad
outsb
imul ebp, dword ptr [bp+65h], 69685320h
insb
outsb
and byte ptr [esi+32h], dh
xor al, 2Eh
xor byte ptr [esi], ch
xor byte ptr [eax], al
pushfd
stc
jmp 00007FE514C7797Ch
adc dh, FFFFFF93h
mov dl, byte ptr [esp+04h]
bsf dx, si
mov ch, 03h
jmp 00007FE514C77A7Ah
cmc
bound esi, dword ptr [eax]
xchg eax, edi
bound ecx, dword ptr [ebx]
xor eax, A15237A7h
sbb al, 5Ah
mov dword ptr [ebx], eax
popad
jmp 00007FE514C6A79Bh
xchg cl, dl
bsr ecx, esi
sub esp, 14h
push word ptr [esp+22h]
mov ch, 68h
lea edx, dword ptr [00000000h+eax*4]
jmp 00007FE514C77A34h
mov byte ptr [3FCCA535h], al
xchg eax, esp
mov esp, 2ED3B426h
cdq
xlatb
mov dword ptr [esp+02h], ebp
push dword ptr [esp+0Ch]
pop dx
pop word ptr [esp+04h]
bswap ecx
mov cl, dl
jmp 00007FE514C779D8h
mov ch, 3Fh
mov edx, ebx
or ecx, edx
mov edx, esp
xor ecx, ebp
xchg word ptr [esp+04h], cx
jmp 00007FE514C77A43h
daa
mov esp, 6DC43552h
or dword ptr [eax-08992C75h], ebp
ror dword ptr [edi], 1
mov bl, E9h
mov dh, byte ptr [esp+0Ah]
mov ecx, dword ptr [esp+01h]
cld
jmp 00007FE514C779D1h
bswap edx
push dword ptr [esp+06h]
not dh
lea esp, dword ptr [esp+09h]
stc
std
jmp 00007FE514C77A2Eh
retf
bound ebx, dword ptr [ebp+00C6FFECh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2293026	0x5e99	.sedata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x234b0c4	0x154	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x234c000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x234d000	0x394	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2182000	0x502e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.sedata	0x2183000	0x1c8000	0x1c7e00	False	0.6162363757883191	data	7.114902610616691	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x234b000	0x1000	0x600	False	0.3346354166666667	data	3.575155469094621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x234c000	0x1000	0x600	False	0.3463541666666667	data	2.8971265676761537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x234d000	0x1000	0x400	False	0.7158203125	data	5.315543381569861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.sedata	0x234e000	0x1000	0x1000	False	0.78173828125	data	7.9836033077698	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x234c058	0x458	data	English	United States	0.43884892086330934

Imports

DLL	Import
shlwapi.dll	SHCreateStreamOnFileW
winspool.drv	DocumentPropertiesW
comctl32.dll	ImageList_GetImageInfo
shell32.dll	SHGetFolderPathW
user32.dll	MoveWindow
version.dll	GetFileVersionInfoSizeW
oleaut32.dll	SafeArrayPutElement
advapi32.dll	RegSetValueExW
msvcrt.dll	memcpy
kernel32.dll	SetFileAttributesW
wsock32.dll	gethostbyaddr
ole32.dll	OleRegEnumVerbs
gdi32.dll	Pie
Magnification.dll	MagSetWindowSource
IPHLPAPI.DLL	GetInterfaceInfo
PSAPI.DLL	GetMappedFileNameW

Exports

Name	Ordinal	Address
PyArg_Parse	669	0x7ff0f8
PyArg_ParseTuple	668	0x7ff0f8

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2023 11:44:13.477447033 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:13.477518082 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:13.477627993 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:14.649091959 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:14.649169922 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:15.347961903 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:15.348211050 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:18.477387905 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:18.477463007 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:18.477884054 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:18.478035927 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:18.482595921 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:18.528301001 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:19.123910904 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:19.124007940 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:19.124049902 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:19.124089003 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:19.257991076 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:19.258075953 CEST	443	49693	187.45.187.42	192.168.2.6
Jul 27, 2023 11:44:19.258101940 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:19.258255959 CEST	49693	443	192.168.2.6	187.45.187.42
Jul 27, 2023 11:44:31.198245049 CEST	49694	80	192.168.2.6	15.228.77.178
Jul 27, 2023 11:44:34.244177103 CEST	49694	80	192.168.2.6	15.228.77.178
Jul 27, 2023 11:44:40.244678020 CEST	49694	80	192.168.2.6	15.228.77.178

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 27, 2023 11:44:13.058563948 CEST	53107	53	192.168.2.6	8.8.8.8
Jul 27, 2023 11:44:13.422763109 CEST	53	53107	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 27, 2023 11:44:13.058563948 CEST	192.168.2.6	8.8.8.8	0x6c69	Standard query (0)	ebaoffice.com.br	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 27, 2023 11:44:13.422763109 CEST	8.8.8.8	192.168.2.6	0x6c69	No error (0)	ebaoffice.com.br		187.45.187.42	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ebaoffice.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49693	187.45.187.42	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2023-07-27 09:44:18 UTC	0	OUT	GET /imagens/bo/inspecionando.php HTTP/1.1 Accept: / Accept-Language: en-US Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ebaoffice.com.br Connection: Keep-Alive
2023-07-27 09:44:19 UTC	0	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/5.6.40 content-type: text/html; charset=UTF-8 cache-control: public, max-age=0 expires: Thu, 27 Jul 2023 09:44:19 GMT content-length: 0 date: Thu, 27 Jul 2023 09:44:19 GMT server: LiteSpeed x-ua-compatible: IE=Edge,chrome=1 alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

Target ID:	0
Start time:	11:43:11
Start date:	27/07/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll"
Imagebase:	0xfc0000
File size:	126'464 bytes
MD5 hash:	3B4636AE519868037940CA5C4272091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.647753651.0000000002EC7000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Target ID:	1
Start time:	11:43:11
Start date:	27/07/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	2
Start time:	11:43:11
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",#1
Imagebase:	0x1b0000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	3
Start time:	11:43:11
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_Parse
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1009274858.0000000004BB1000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Target ID:	4
Start time:	11:43:11
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",#1
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.695693538.0000000004DDF000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Target ID:	5
Start time:	11:43:15
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_ParseTuple
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.629386243.0000000004F13000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security

Target ID:	6
Start time:	11:43:18
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll,PyArg_ParseTupleAndKeywords
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.629611134.0000000004A99000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security

Target ID:	10
Start time:	11:44:09
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6364 -s 748
Imagebase:	0xd90000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	11
Start time:	11:44:16
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_Parse
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.822158662.0000000004B44000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security

Target ID:	12
Start time:	11:44:16
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_ParseTuple
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000C.00000002.832391096.0000000004E0F000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security

Target ID:	13
Start time:	11:44:16
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",PyArg_ParseTupleAndKeywords
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.829864923.0000000004818000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security

Target ID:	14
Start time:	11:44:17
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.831439500.00000000053CE000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security

Target ID:	15
Start time:	11:44:17
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000F.00000002.832575325.0000000005356000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security

Target ID:	16
Start time:	11:44:17
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll",dbkFCallWrapperAddr
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000002.831948932.00000000049B3000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security

Target ID:	18
Start time:	11:45:14
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Target ID:	19
Start time:	11:45:27
Start date:	27/07/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0xb20000
File size:	61'952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language